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Abstract. We propose a new approach to practical two-party computation secure against an active 
adversary. All prior practical protocols were based on Yao's garbled circuits. We use an OT-based 
approach and get efficiency via OT extension in the random oracle model. To get a practical protocol 
we introduce a number of novel techniques for relating the outputs and inputs of OTs in a larger 
construction. 

We also report on an implementation of this approach, that shows that our protocol is more efficient 
than any previous one: For big enough circuits, we can evaluate more than 20000 Boolean gates per 
second. As an example, evaluating one oblivious AES encryption (~ 34000 gates) takes 64 seconds, but 
when repeating the task 27 times it only takes less than 3 seconds per instance. 
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1 Introduction 



Secure two-party computation (2PC), introduced by Yao |Yao82| . allows two parties to jointly 
compute any function of their inputs in such a way that 1) the output of the computation is correct 
and 2) the inputs are kept private. Yao's protocol is secure only if the participants are semi-honest 
(they follow the protocol but try to learn more than they should by looking at their transcript of the 
protocol). A more realistic security definition considers malicious adversaries, that can arbitrarily 
deviate from the protocol. 

A large number of approaches to 2PC have been proposed, falling into three main types, those 
based on Yao's garbled circuit techniques, those based on some form of homomorphic encryption 
and those based on oblivious transfer. Recently a number of efforts to implement 2PC in practice 
have been reported on; In sharp contrast to the theory, almost all of these are based on one type of 
2PC, namely Yao's garbled circuit technique. One of the main advantages of Yao's garbled circuits 
is that it is primarily based on symmetric primitives: It uses one OT per input bit, but then uses 
only a few calls to, e.g., a hash function per gate in the circuit to be evaluated. The other approaches 
are heavy on public-key primitives which are typically orders of magnitude slower than symmetric 
primitives. 

However, in 2003 Ishai et al. introduced the idea of extending OTs efficiently |IKNP03| — their 
protocol allows to turn k seed OTs based on public-key crypto into any polynomial £ = poly(K) 
number of OTs using only 0{t} invocations of a cryptographic hash function. For big enough i the 
cost of the K seed OTs is amortized away and OT extension essentially turns OT into a symmetric 
primitive in terms of its computational complexity. Since the basic approach of basing 2PC on OT 
in [GMW87| is efficient in terms of consumption of OTs and communication, this gives the hope 
that OT-based 2PC too could be practical. This paper reports on the first implementation made to 
investigate the practicality of OT-based 2PC. 

Our starting point is the efficient passive-secure OT extension protocol of fIKNP03] and passive- 
secure 2PC of [GMW87) . In order to get active security and preserve the high practical efficiency 
of these protocols we chose to develop substantially different techniques, differentiating from other 
works that were only interested in asymptotic efficiency |HIKN08|Nie07|IPS08| . We report a number 
of contributions to the theory and practice of 2PC: 

1. We introduce a new technical idea to the area of extending OTs efficiently, which allows to 
dramatically improve the practical efficiency of active-secure OT extension. Our protocol has 
the same asymptotic complexity as the previously best protocol in [HIKNOS] . but it is only a 
small factor slower than the passive-secure protocol in |IKNP03] . 

2. We give the ffist implementation of the idea of extending OTs efficiently. The protocol is active- 
secure and generates 500,000 OTs per second, showing that implementations needing a large 
number of OTs can be practical. 

3. We introduce new technical ideas which allow to relate the outputs and inputs of OTs in a 
larger construction, via the use of information theoretic tags. This can be seen as a new flavor 
of committed OT that only requires symmetric cryptography. In combination with our first 
contribution, our protocol shows how to efficiently extend committed OT. Our protocols assume 
the existence of OT and are secure in the random oracle model. 

4. We give the ffist implementation of practical 2PC not based on Yao's garbled circuit tech- 
nique. Introducing a new practical technique is a significant contribution to the field in itself. In 
addition, our protocol shows favorable timings compared to the Yao-based implementations. 
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1.1 Comparison with Related Work 



The question on the asymptotical computational overhead of cryptography was (essentially) settled 
in |IKQS08| . On the other hand, there is growing interest in understanding the practical overhead of 
secure computation, and several works have perfected and implemented protocols based on Yao gar- 
bled circuits |MNPS04IBDNP08ILPSn8IKSn8IPSSWn9lHKS+10lMKin|LPll|SSll(HEK+ll| 
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Table 1. Brief comparison with other implementations. 



pro- 
tocols based on homomorphic encryption [IPS09|DQ10|JMN10|BDOZ11| and protocols based on 
OT |IPS08ILOPlTlCHK+ 1 1) . 

A brief comparison of the time needed for 
oblivious AES evaluation for the best known 
implementations are shown in Table nfl The 
protocols in rows (a-b) are for 3 and 4 parties 
respectively, and are secure against at most 
one corrupted party. One of the goals of the 
work in row (c) is how to efficiently support 
different outputs for different parties: in our 
OT based protocol this feature comes for free. 
The time in row (e) is an estimate made by 
|L0P11) on the running time of their opti- 
mized version of the OT-based protocol in |IPS08| . The column Round indicates the round com- 
plexity of the protocols, d being the depth of the circuit while the column Model indicates whether 
the protocol was proven secure in the standard model (SM) or the random oracle model (ROM). 

The significance of this work is shown in row (g). The reason for the dramatic drop between 
row (f) and (g) is that in (f), when we only encrypt one block, our implementation preprocesses for 
many more gates than is needed, for ease of implementation. In (g) we encrypt 27 blocks, which is 
the minimum value which eats to up all the preprocessed values. We consider these results positive: 
our implementation is as fast or faster than any other 2PC protocol, even when encrypting only one 
block. And more importantly, when running at full capacity, the price to pay for active security is 
about a factor 10 against the passive-secure protocol in (d). We stress that this is only a limited 
comparison, as the different experiments were run on different hardware and network setups: when 
several options were available, we selected the best time reported by the other implementations. 
See Sect. [7] for more timings and details of our implementation. 



1.2 Overview of Our Approach 

We start from a classic textbook protocol for two-party computation |Gol041 Sec. 7.3]. In this 
protocol, Alice holds secret shares xaiVA and Bob holds secret shares xb^Vb of some bits x,y 
s.t. XA® xb = X and ua® UB = U- Alice and Bob want to compute secret shares of z = g{x,y) 
where g is some Boolean gate, for instance the AND gate: Alice and Bob need to compute a random 
sharing za, zb of z = xy = xaUA © xaVb © XByA © xbVb- The parties can compute the AND of 
their local shares [xaUA and xbUb), while they can use oblivious transfer (OT) to compute the 
cross products [xaUb and xsyA)- Now the parties can iterate for the next layer of the circuit, up 
to the end where they will reconstruct the output values by revealing their shares. 

■* Oblivious AES has become one of the most common circuits to use for benchmarking generic MPC protocols, due 
to its reasonable size (about 30000 gates) and its relevance as a building block for constructing specific purpose 
protocols, like private set intersection |FIPR05] . 
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Sect. [3] 



Sect. Eland [SI 



This protocol is secure against a semi-honest adversary: assuming the OT protocol to be secure, 
Alice and Bob learn nothing about the intermediate values of the computation. It is easy to see 
that if a large circuit is evaluated, then the protocol is not secure against a malicious adversary: any 
of the two parties could replace values on any of the internal wires, leading to a possibly incorrect 
output and/or leakage of information. 

To cope with this, we put MACs on all bits. The starting point •^2PC 
of our protocol is oblivious authentication of bits. One party, the 
key holder, holds a uniformly random global key A G {0, l}'^. The 
other party, the MAC holder, holds some secret bits {x,y, say). 
For each such bit the key holder holds a corresponding uniformly 
random local key (K^, Ky G {0, 1}'') and the MAC holder holds the [ aOT aAND< 
corresponding MAC {M^ = ® xA, My = Ky ® yA). The key 
holder does not know the bits and the MAC holder does not know 

the keys. Note that ® My = {K^ Ky) (x y)A. So, the / \ 1/ isect H 
MAC holder can locally compute a MAC on x y under the key 
Kx Ky which is non-interactively computable by the key holder. 

This homomorphic property comes from fixing A and we exploit it p;g_ ^ p^p^^. outline. This order of 
throughout our constructions. From a bottom-up look, our protocol presentation is chosen to allow the 
is constructed as follows (see Fig. [T] for the main structure) : best progression in introduction of 

our new techniques. 

Bit Authentication: We first implement oblivious authentication of bits (aBit). As detailed 
in Sect. [U to construct authenticated bits we start by extending a few (say k = 640) seed 
(^)-OTs into many (say i = 2^*^) OTs, using OT extension. Then, if A wants to get a bit x 
authenticated, she can input it as the choice bit in an OT, while B can input {Kx,Kx A), 
playing the sender in the OT. Now A receives Mx = Kx © xA. It should, of course, be ensured 
that even a corrupted B uses the same value A in all OTs. I.e., it should hold for all produced 
OTs that the XORs of the offered message pairs are constant — this constant value is then taken 
to be A. It turns out, however, that when using the highly efficient passive-secure OT extender 
in |IKNP03] and starting from seed OTs where the XORs of message pairs are constant, one also 
produces OTs where the XORs of message pairs are constant, and we note that for this use the 
protocol in [IKNP03| happens to be active- securel Using cut-and-choose we ensure that most of 
the XORs of message pairs offered in the seed OTs are constant, and with a new and inexpen- 
sive trick we offer privacy and correctness even if few of these XORs have different values. This 
cut-and-choose technique uses one call to a box EQ for checking equality. 

Authenticated local AND: From aBits we then construct authenticated local ANDs (aAND), 
where the MAC holder locally holds random authenticated bits a, b, c with c = ab. To create 
authenticated local ANDs, we let one party compute c = ab for random a and b and get 
authentications on a,b,c (when creating aANDs, we assume the aBits are already available). 
The challenge is to ensure that c = ab. We construct an efficient proof for this fact, again using 
the box EQ once. This proof might, however, leak the bit a with small but noticeable probability. 
We correct this using a combiner. 

Authenticated OT: From aBits we also construct authenticated OTs (aOT), which are normal 
(^)-OTs of bits, but where all input bits and output bits are obliviously authenticated. This is 
done by letting the two parties generate aBits representing the sender messages Xo,xi and the 
receiver choice bit c. To produce the receiver's output, first a random aBit is sampled. Then this 
bit is "corrected" in order to be consistent with the run of an OT protocol with input messages 
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xo,xi and choice bit c. This correction might, however, leak the bit c with small but noticeable 
probability. We correct this using an OT combiner. One call to the box EQ is used. 
2PC: Given two aANDs and two aOTs one can evaluate in a very efficient way any Boolean gate: 
only 4 bits per gate are communicated, as the MACs can be checked in an amortized manner. 

That efficient 2PC is possible given enough aBits, aANDs and aOTs is no surprise. In some 
sense, it is the standard way to base passive-secure 2PC on passive-secure OT enhanced with a 
particular flavor of committed OT (as in |CvdGT95|Gar04] ) . What is new is that we managed to 
find a particular committed OT-like primitive which allows both a very efficient generation and a 
very efficient use: while previous result based on committed OT require hundreds of exponentiations 
per gate, our cost per gate is in the order of hundreds of hash functions. To the best of our knowledge, 
we present the first practical approach to extending a few seed OTs into a large number of committed 
OT-like primitives. Of more specific technical contributions, the main is that we manage to do all 
the proofs efficiently, thanks also to the preprocessing nature of our protocol: Creating aBits, we get 
active security paying only a constant overhead over the passive-secure protocol in [IKNP03J . In the 
generation of aANDs and aOTs, we replace cut-and-choose with efficient, slightly leaky proofs and 
then use a combiner to get rid of the leakage: When we preprocess for i gates and combine B leaky 
objects to get each potentially unleaky object, the probability of leaking is {2£)~^ = 2~^°S2(^)(^-i). 
As an example, if we preprocess for 2^*^ gates with an overhead of B = 6, then we get leakage 
probability 2-^°°. 

As a corollary to being able to generate any £ = poly(K) active-secure aBits from 0(k) seed OTs 
and 0{£) calls to a hash-function, we get that we can generate any i = poly(K) active-secure (^)-OTs 
of K-hit strings from 0{k) seed OTs and 0{£) calls to a hash-function, matching the asymptotic 
complexity of [HIKN08] while dramatically reducing their hidden constants. 

2 Preliminaries and Notation 

We use K (and sometimes ■0) to denote the security parameter. We require that a poly-time adversary 
break the protocol with probability at most poly(K)2~'^. For a bit-string S G {0, 1}* we define 
OS = 0''^l and 15 == S. For a finite set S we use s €r 5" to denote that s is chosen uniformly at 
random in S. For a finite distribution D we use x ^ D to denote that x is sampled according to D. 

The UC Framework We prove our results static, active-secure in the UC framework |Can01| . 
and we assume the reader to be familiar with it. We will idiosyncratically use the word box instead 
of the usual term ideal functionality. To simplify the statements of our results we use the following 
terminology: 

Definition 1. We say that a box A is reducible to a box B if there exist an actively secure imple- 
mentation 11 of A which uses only one call to B. We say that A is locally reducible to B if the parties 
of TT do not communicate (except through the one call to B/ We say that A is linear reducible to B 
if the computing time of all parties of vr is linear in their inputs and outputs. We use equivalent to 
denote reducibility in both directions. 

It is easy to see that if A is (linear, locally) reducible to B and B is (linear, locally) reducible 
to C, then A is (linear, locally) reducible to C. 
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Hash Functions We use a hash function H : {0, 1}* — {0, 1}'^, which we model as a random 
oracle (RO). We sometimes use H to mask a message, as in H{x) © M. If |M| 7^ k, this denotes 
prg(ff(a;)) M, where prg is a pseudo-random gener ator prg : {0, 1}'" {0, Ijl^^L We also use a 
cohision-resistant hash function G : {0, l}^** — > {0, l}**. 

As other 2PC protocols whose focus is efficiency IKSOSlHEK"*"!!) . we are content with a proof 
in the random oracle model. What is the exact assumption on the hash function that we need for 
our protocol to be secure, as well as whether this can be implemented under standard cryptographic 
assumption is an interesting theoretical question, see |AHI10|CKKZ11| . 

Oblivious Transfer We use a box OT(r, ^) which can be used to perform r (^)-oblivious transfers 
of strings of bit-length I. In each of the r OTs the sender S has two inputs xq,xi E {0, 1}^, called 
the messages^ and the receiver R has an input c € {0, 1}, called the choice hit. The output to R is 
Xc = c{xq © xi) © Xo- No party learns any other information. 

Equality Check We use a box EQ(£) which allows two parties to check that two strings of length 
£ are equal. If they are different the box leaks both strings to the adversary, which makes secure 
implementation easier. We define and use this box to simplify the exposition of our protocol. In 
practice we implement the box by letting the parties compare exchanged hash's of their values: this 
is a secure implementation of the box in the random oracle model. 

For completeness we give a protocol which securely implements EQ in the RO model. Let 
H : {0, 1}* — >• {0, 1}'^ be a hash function, modeled as a RO. Let k be the security parameter. 

1. A chooses a random string r €/j {0, 1}'^, computes c = H{x\\r) and sends it to B. 

2. B sends y to A. 

3. A sends x, r to B. A outputs x = y. 

4. B outputs {H{x\\r) = c) A (x = y). 

This is a secure implementation of the EQ(^) functionality in the RO model. If A is corrupted, 
the simulator extracts x, r from the simulated call to the RO, if the hash function was queried with 
an input which yielded the c sent by A. Then, it inputs x to EQ and receives (x, y) from the ideal 
functionality (if x ^ y). If the hash function was not queried with an input which yielded the c sent 
by A, then the simulator inputs a uniformly random x to EQ and receives (x,y). It then sends y 
to the corrupted A. On input x',r' from A, if (x',r') 7^ (x,r) the simulator inputs "abort" to the 
EQ functionality on behalf of A, or "deliver" otherwise. If (x',r') = (x,r), simulation is perfect. If 
they are different, the only way that the environment can distinguish is by finding (x',r') 7^ (x,r) 
s.t. H(x\\r) = H{x'\\r') or by finding (x', r') such that c = H{x'\\r') for a c which did not result from 
a previous query. In the random oracle both events happen with probability less than poly(«;)2^'', 
as the environment is only allowed a polynomial number of calls to the RO. 

If B is corrupted, then the simulator sends a random value c {0, 1}^ to B. Then, on input y 
from B it inputs this value to the EQ box and receives (x, y). Now, it chooses a random r {0, 1}'' 
and programs the RO to output c on input x||r, and sends x and r to B. Simulation is perfect, 
and the environment can only distinguish if it had already queried the RO on input x||r, and this 
happens with probability poly(K)2~'', as r € {0, l}** is uniformly random, and the environment is 
only allowed a polynomial number of calls to the RO. 
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Leakage Functions We use a notion of a class L of leakage functions on r bits. The context is tliat 
tliere is some uniformly random secret value A €r {0, 1}^ and some adversary A wants to guess A. 
To aid A, she can do an attack which might leak some of the bits of A. The attack, however, might 
be detected. Each L G £ is a poly-time sampleable distribution on {S,c) G 2^^' - ''^^ x {0, 1}. Here 
c specifies if the attack was detected, where c = signals detection, and S specifies the bits to be 
leaked if the attack was not detected. We need a measure of how many bits a class C leaks. We do 
this via a game for an unbounded adversary A. 

1. The game picks a uniformly random A Gj^ {0, 1}^. 

2. A inputs L e C 

3. The game samples (S, c) ^ L. If c = 0, A loses. If c = 1, the game gives {(i, Ai)}i(=s to A. 

4. Let S* = {1, . . . , t}\S. a inputs the guesses {{i, 9i)}i^s- If 9i = for alH G 5, A wins, otherwise 
she loses. 

We say that an adversary A is optimal if she has the highest possible probability of winning the 
game above. If there were no leakage, i.e., S = $, then it is clear that the optimal A wins the game 
with probability exactly 2""^. If A is always given exactly s bits and is never detected, then it is 
clear that the optimal A can win the game with probability exactly 2^""^. This motivates defining 
the number of bits leaked by C to be leak£ = log2 (success/;) + r, where success£ is the probability 
that the optimal A wins the game. It is easy (details below) to see that if we take expectation over 
random {S,c) sampled from L, then leakc = maxLg£log2 (E [c2l'^l]). 

We say that £■ is At-secure if r — leak£ > k, and it is clear that if C is K-secure, then no A can 
win the game with probability better than 2"**. 

We now rewrite the definition of leak£ to make it more workable. 

It is clear that the optimal A can guess all Ai ioi i e S with probability exactly 2l'^l~'^. This means 
that the optimal A wins with probability Yll=o K*^' c) L : \S\ = s A c = 1] 2*""^. To simplify this 
expression we define index variables Ig, Jg G {0, 1} where is 1 iff c = 1 and 15*1 = s and Jg is 1 iff 
l^*! = s. Note that Ig = cJg and that 7^2* = 2l'^l. So, if we take expectation over {S,c) sampled 
from L, then we get that 



Pr [{S, c) ^ L : \S\ = s A c = 1]2' =Ye[Is] 2' 



s=0 



s=Q 

E 



.3=0 



E 



5^cJ,2^ 



E 



s=0 



E 



=0 

c2l^l 



Hence success^ = 2 E [c2l'^l] is the probability of winning when using L and playing optimal. 
Hence success^ = maxLg£(2~'^E [c2l'^l]) and log2(success£) = — r + log2 max^g/: (E [c2l'^l]), which 
shows that 

leak£ = maxlog2 c2''^' 

as claimed above. 



3 The Two-Party Computation Protocol 
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-^2PC 



aBit aOT aAND 
Fig. 2. Sect. [3] outline. 



We want to implement the box J-2PC for Boolean two-party secure com- 
putation as described in Fig. 31 We will implement this box in the Jt)eal- 
hybrid model of Fig. [5j This box provides the parties with aBits, aANDs 
and aOTs, and models the preprocessing phase of our protocol. We intro- 
duce notation in Fig. [3] for working with authenticated bits. The protocol 
implementing J-2FC in the dealer model is described in Fig. [6l The dealer 
offers random authenticated bits (to A or B), random authenticated local AND triples and random 
authenticated OTs. Those are all the ingredients that we need to build the 2PC protocol. Note 
that the dealer offers randomized versions of all commands: this is not a problem as the "standard" 
version of the commands (the one where the parties can specify their input bits instead of getting 
them at random from the box) are linearly reducible to the randomized version, as can be easily 
deduced from the protocol description. The following result is proven in App. [B] 



Theorem 1. The protocol in Fig. \^ securely implements the box J-2PC in the J^DEAL-hybrid model 
with security parameter k. 



Global Key: We call Aa, Ab £ {0, 1}'* the two global keys, held by B and A respectively. 

Authenticated Bit: We write [x]a to represent an authenticated secret bit held by A. Here B knows a key 
G {0, 1}'' and A knows a bit x and a MAC Af^ = ® xAa G {0, 1}". Let [x]a =' {x, M^,K^)U 
If [x]a = {x,Mx,Kx) and [j/]a = {y,My,Ky) we write [z]a = [x]fl, © [y]^ to indicate [z]^ = {zjM^jK^) = 
{x © y, Mx © My, Kx © Ky). Note that no communication is required to compute [z]a from [x]a and [y]A- 
It is possible to authenticate a constant bit (a value known both to A and B) 6 G {0, 1} as follows: A sets 

Mb = 0", B sets Kb = bAA, now [6]a {b, Mb, Kb). For a constant b we let [x]a © & [x]a © [6]a, and we 
let b[x]A be equal to [0]a if fe = and [a;]A if fe = 1. 

We say that A reveals [x]a by sending {x,Mx) to B who aborts if A4x 7^ Kx © xAa- Alternatively we say 
that A announces x by sending a:: to B without a MAC. 

Authenticated bits belonging to B are written as [j/]b and are defined symmetrically, changing side of all the 
values and using the global value Ab instead of Aa- 
Authenticated Share: We write [x] to represent the situation where A and B hold [xa]a, [xb]b and x = xa®xb, 
and we write [x] = ([sjaIa, [xb]b) or [x] = [xa\xb]. 

If [x] = [xa\xb] and [y] = [j/aI^b] we write [z] = [x] © [y] to indicate [2] = ([zaJa, [2s]b) = {[xa]a © 

[2/a]a, [xb]b © [2/b]b)- Note that no communication is required to compute [z] from [x] and [y]. 

It is possible to create an authenticated share of a constant b G {0, 1} as follows: A and B create [b] = [&|0]. 

For a constant value b G {0, 1}, we define b[x] to be equal to [0] if 6 = and [x] if 6 = 1. 

When an authenticated share is revealed, the parties reveal to each other their authenticated bits and abort 

if the MACs are not correct. 

" Since A a is a global value we will not always write it explicitly. Note that in xAa, x represents a value, or 1, 
and that in [a;]A, Kx and Mx it represents a variable name. I.e., there is only one key (MAC) per authenticated 
bit, and for the bit named x, the key (MAC) is named Kx (Mx). If 2; = 0, then Mx ~ Kx. If a; = 1, then 
Mx =Kx®Aa. 

Fig. 3. Notation for authenticated and shared bits. 



Why the global key queries? The J-deal box (Fig. [5]) allows the adversary to guess the value 
of the global key, and it informs it if its guess is correct. This is needed for technical reasons: 
When Jx)EAL is proven UC secure, the environment has access to either Jx)eal or the protocol 
implementing J^deal- In both cases the environment learns the global keys A a and Z\b. In particular. 
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Rand: On input (rand, vid) from A and B, with vid a fresh identifier, the box picks r Gr {0,1} and stores 
{vtd, r). 

Input: On input (input, P, vid, x) from P G {A, B} and (input, P, vid, ?) from the other party, with vid a fresh 

identifier, the box stores {vid,x). 
XOR: On command (xor, vidi, vid2, vidz) from both parties (if vid\, vid2 are defined and vid^. is fresh), the box 

retrieves [vidi,x), {vid2,y) and stores {vid3,x(By)- 
AND: As XOR, but store {vids, x -y). 

Output: On input (output, P, mrf) from both parties, with P G {A, B} (and vid defined), the box retrieves 
{vid,x) and outputs it to P. 

At each command the box leaks to the environment which command is being executed (keeping the value x in 
Input secret), and dehvers messages only when the environment says so. 

Fig. 4. The box j-2pc for Boolean Two-party Computation. 

Initialize: On input (init) from A and (init) from B, the box samples Aa,^b G {0,1}", stores them and 

outputs Ab to A and Aa to B. If A (resp. B) is corrupted, she gets to choose Ab (resp. Aa)- 
Authenticated Bit (A): On input (aBIT,A) from A and B, the box samples a random [a;]A = {x, Mx, Kx) 

with AIx = Kx © xAa and outputs it {x, Mx to A and Kx to B). If B is corrupted he gets to choose Kx - If 

A is corrupted she gets to choose (x, Mx), and the box sets Kx ~ Mx ffi xAa- 
Authenticated Bit (B): On input (aBIT, B) from A and B, the box samples a random [x]b = {x, Mx, Kx) 

with Mx ~ Kx ®xAb and outputs it (x, A'lx to B and Kx to A). As in Authenticated Bit (A), corrupted 

parties can choose their own randomness. 
Authenticated local AND (A): On input (aAND,A) from A and B, the box samples random [a::]A,[y]A and 

[2;] A with z = xy and outputs them. As in Authenticated Bit (A), corrupted parties can choose their own 

randomness. 

Authenticated local AND (B) Defined symmetrically. 

Authenticated OT (A-B): On input (aOT, A, B) from A and B, the box samples random [a;o]A,[2;i]A,[c]B and 
[z]b with z — Xc ~ c{xo (B xi) (B xq and outputs them. As in Authenticated Bit, corrupted parties can 
choose their own randomness. 

Authenticated OT (B-A): Defined symmetrically^ 

Global Key Queries: The adversary can at any point input (A, A) and be told whether A = Ab- And it can 
at any point input (B, A) and be told whether A — Aa- 

" The dealer offers aOTs in both directions. Notice that the dealer could offer aOT only in one direction and 
the parties could then "turn" them: as regular OT, aOT is symmetric as well. 

Fig. 5. The box J^deal for dealing preprocessed values. 

the environment learns even if B is honest. This requires us to prove the sub- protocol for Jx)eal 
secure to an adversary knowing Aa even if B is honest: to be be able to do this, the simulator 
needs to recognize Aa if it sees it — hence the global key queries. Note, however, that in the context 
where we use J-deal (Fig. [6]), the environment does not learn the global key Aa when B is honest: 
A corrupted A only sees MACs on one bit using the same local key, so all MACs are uniformly 
random in the view of a corrupted A, and B never makes the local keys public. 

Amortized MAC checks. In the protocol of Fig. [6l there is no need to send MACs and check 
them every time we do a "reveal". In fact, it is straightforward to verify that before an Output 
command is executed, the protocol is perfectly secure even if the MACs are not checked. Notice 
then that a keyholder checks a MAC Mx on a bit x by computing M^. = Kx © xA and comparing 
to the Mx which was sent along with x- These equality checks can be deferred and amortized. 
Initially the MAC holder, e.g. A, sets = 0** and the key holder, e.g. B, sets A^' = As long 
as no Output command is executed, when A reveals x she updates A^ ^ G{N ,H{Mx)) for the 
MAC Mx she should have sent along with x, and B updates A^' ^ G{N' , H(Mx))- Before executing 
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Initialize: When activated the first time, A and B activate J-deal and receive Ab and Aa respectively. 
Rand: A and B ask J-'deal for random authenticated bits [^aIa, [rB]B and stores [r] = [rA|rs] under viA. 
Input: If P = A, then A aslcs J-deal for an authenticated bit [xaIa and announces (i.e., no MAC is sent together 

with the bit) xb = a; ® xa, and the parties build \xb\% and define [x] = [xAla;^]. The protocol is symmetric 

for B. 

XOR: A and B retrieve [x], \y\ stored under viA\, vid-2 and store [2;] = [x] © [y] under vida. For brevity we drop 

explicit mentioning of variable identifiers below. 
AND: A and B retrieve [x], [y] and compute [z] — [xy] as follows: 

1. The parties ask J^deal for a random AND triplet [u]a, [v]a, [Ha with w = uv. 
A reveals [/]a = Ma © [xa]a and [g]^ = [v]a © [i/aIa. 

The parties compute [xaJ/aIa = /[2/a]a ® g[xA]A © [w]/^ © .f9- 

2. Symmetrically the parties compute [xsj/sJb. 

3. The parties ask J-deal for a random authenticated OT [uo]a, [ui]a, [c]b, [w]b with w — Uc. 
They also ask for an authenticated bit [^aJa- 

Now B reveals [d\s = [c]b © [i/s1b- 

A reveals [/]a = [mo]a © [ui]a © [a:A]A and [g]A = [rA]A © [mo]a © d[xA]A- 
Compute [sb]b ~ [w]b © /[c]b © g- Note that at this point [sb]b ~ [ta © XAyB]B- 

4. Symmetrically the parties compute [sa]a ~ [tb (B sjsj/aIa- 

A and B compute [za]a = [taIa © [sa]a © [xAyA]A and [zb]b = [^bIb © [sb]b © [xByB]B and let [z] = [za\zb]- 
Output: The parties retrieve [x] = [xa\xb]- If A is to learn x, B reveals xb- If B is to learn x, A reveals xa- 

Fig. 6. Protocol for T2FC in the J^DEAL-hybrid model 



an Output, A sends A'^ to B who aborts if N ^ N' . Security of this check is easily proved in the 
random oracle model. The optimization brings the communication complexity of the protocol down 
from 0{n\C\) to 0{\C\ + ok), where o is the number of rounds in which outputs are opened. For a 
circuit of depth 0{\C\/k), the communication is 0(|C[). 

Implementing .T-deal- In the following sections we show how to implement J^deal- In Sect. H] we 
implement just the part with the commands Authenticated Bits. In Sect. [5] we show how to extend 
with the Authenticated OT commands, by showing how to implement many aOTs from many 
aBits. In Sect.[6]we then show how to extend with the Authenticated local AND commands, by 
showing how to implement many aANDs from many aBits. We describe the extensions separately, 
but since they both maintain the value of the global keys, they will produce aANDs and aOTs with 
the same keys as the aBits used, giving an implementation of Jt)eal- 



aBit 



4 Bit Authentication 



WaBit 



In this section we show how to efficiently implement (oblivious) bit au- 
thentication, i.e., we want to be in a situation where A knows some bits 
xi,... ,xe together with MACs Mi, . . . , M^, while B holds a global key LaBit 
Aa_ and local keys Ki, . . . , Ki s.t. Mi = Ki(BxiAA, as described in Jx)eal 



/ \ 



^ J j^, . . . , -.-J ^ „j ^, i^^j^u 

(Fig. [5]). Given the complete symmetry of J^dead we only describe the 

case where A is MAC holder. Fig. 7. Sect. 0] outline. 

If the parties were honest, we could do the following: A and B run an 
OT where B inputs the two messages (Ki, Ki © Z\^) and A chooses Xj, to receive Mj = Kid) XiAA- 
However, if B is dishonest he might not use the same Aa in all OTs. The main ideas that make the 
protocol secure against cheating parties are the following: 

1. For reasons that will be apparent later, we will actually start in the opposite direction and let 
B receive some authenticated bits yi using an OT, where A is supposed to always use the same 
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global key Fb- Thus an honest A inputs (Li, Li Fb) in the OTs and B receives Ni = Li® ViFb- 
To check that A is playing honest in most OTs, the authenticated bits are randomly paired and 
a check is performed, which restricts A to cheat in at most a few OTs. 

2. We then notice that what A gains by using different -Tg's in a few OTs is no more than learning 
a few of B's bits We call this a leaky aBit, or LaBit. 

3. We show how to turn this situation into an equivalent one where A (not B) receives authenticated 
random bits Xj's (none of which leaks to B) under a "slightly insecure" global key Fa- The 
insecurity comes from the fact that the leakage of the yj's turns into the leakage of a few bits of 
the global key Fa towards A. We call this an aBit with weak global key, or WaBit. 

4. Using privacy amplification, we amplify the previous setting to a new one where A receives 
authenticated bits under a (shorter) fully secure global key A a, where no bits of A a are known 
to A, finally implementing the aBit command of the dealer box. 

We will proceed in reverse order and start with step 4 in the previous description: we will start with 
showing how we can turn authenticated bits under an "insecure" global key Fa into authenticated 
bits under a "secure" (but shorter) global key Aa- 

4.1 Bit Authentication with Weak Global Key (WaBit) 

We will first define the box providing bit authentication, but where some of the bits of the global 
key might leak. We call this box WaBit (bit authentication with weak global key) and we formally 
describe it in Fig. [8l The box WaBit^(^, r) outputs I bits with keys of length r. The box is also 
parametrized by a class C of leakage functions on r bits. The box aBit(£, ijj) is the box WaBit^(^, V') 
where C is the class of leakage functions that never leak. 



Honest Parties: 

1. The box samples Fa Gr {0, l}'^ and outputs it to B. 

2. The box samples and outputs [xi]^, .. ., [xi]^,. Each [xi]^ = {x,, M[,K'i) £ {0, 1}^+^^ s.t. M[ = K'.QXiFa- 
Corrupted Parties: 

1. If A is corrupted, then A may choose a leakage function L £ C. Then the box samples {S,c) L. If 
c = the box outputs fail to B and terminates. If c = 1, the box outputs {(i, (-rA)0}»es to A. 

2. If A is corrupted, then A chooses the Xi and the M'^ and then K[ = M[ © XiFA- 

3. If B is corrupted, then B chooses Fa and the K[. 

Global Key Queries: The adversary can input F and will be told if _r = Fa- 

Fig. 8. The box WaBit^(£, r) for Bit Authentication with Weak Global Key 



1. The parties invoke WaBit^(^, r) with r = The output to A is {{M[,xi), {M[, xt)). The output to 
B is {FA,K[,...,K't). 

2. B samples A £r {0, 1}'''^^, a random binary matrix with ip rows and r columns, and sends A to A. 

3. A computes = AM- e {0, 1}''' and outputs ((Mi, xi), . . . , {Mt,xe)). 

4. B computes Aa = A/a and Ki = A.K'i and outputs {Aa,Ki, . . . , Ke). 

Fig. 9. Subprotocol for reducing aBit(^, ^/)) to WaBit^(^, r). 
In Fig. [9] we describe a protocol which takes a box WaBit, where one quarter of the bits of the 
global key might leak, and amplifies it to a box aBit where the global key is perfectly secret. The 
protocol is described for general C and it is parametrized by a desired security level tp. The proof 
of the following theorem can be found in App. O 
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Theorem 2. Let r = ^^|) and C be a (|r) -secure leakage function on r bits. The protocol in Fig. 
securely implements aBit(£, -0) in the WaBit'~'{£,T) -hybrid model with security parameter 'ip. The 
communication is O^ip"^) and the work is 0{ip'^i). 

4.2 Bit Authentication with Leaking Bits (LaBit) 

We now show another insecure box for aBit. The new box is insecure in the sense that a few of 
the bits to be authenticated might leak to the other party. We cah this box an aBit with leaking 
bits, or LaBit and formally describe it in Fig. [101 The box LaBit^(T, £) outputs r authenticated bits 
with keys of length i, and is parametrized by a class of leakage functions C on r-bits. We show that 
WaBit"^ can be reduced to LaBif^. In the reduction, a LaBit that outputs authenticated bits [yi]B 
to B can be turned into a WaBit that outputs authenticated bits [xj]p, to A, therefore we present the 
LaBit box that outputs bits to B. The reduction is strongly inspired by the OT extension techniques 
in |IKNP03j . 



Honest Parties: 

1. The box samples Fb Gr {0, 1}^ and outputs it to A. 

2. The box samples and outputs [i/i]b, . . . , [j/t]b- Each [y,]B = {yi, Ni,L{) G {0, 1}^+^^ s.t. Ni = L^® ViFB- 
Corrupted Parties: 

1. If A is corrupted, then A may input a leakage function L £ C Then the box samples {S, c) <— L. If c = 
the box outputs fail to B and terminates. If c = 1, the box outputs {(i, j/i)}igs to A. 

2. Corrupted parties get to specify their outputs as in Fig. [8] 

Choice Bit Queries: The adversary can input A and will be told if Zi = (y\, . . . jPt). 

Fig. 10. The box LaBit^(r, ^) for Bit Authentication with Leaking Bits 



1. A and B invoke LaBit ''(r, B learns {{Ni,yi), {Nr,yT)) and A learns (/s,Li, . . . ,Lt). 

2. A lets Xj be the j-th bit of Fb and Mj the string consisting of the j-th bits from all the strings Li, 
i.e. M, = Lij\\L2j\\...\\Lij. 

3. B lets Fa be the string consisting of all the bits yi, i.e. Fa = yi||y2|| ■ • • \\yi, and lets Kj be the string 
consisting of the j-th bits from all the strings Ni, i.e. Kj — A'^i.j | |A'"2,j 1 1 . . . 

4. A and B now hold [xj]^ = {xj,Mj,Kj) for j = !,...,£. 

Fig. 11. Subprotocol for reducing WaBit^(^,r) to LaBit^(r,£) 

Theorem 3. For alii, r and C the ftoses WaBit^(-£, r) and LaBit^(T,£) are linear locally equivalent, 
i.e., can be implemented given the other in linear time without interaction. 

Proof. The first direction (reducing WaBit to LaBit) is shown in Fig. [TTJ The other direction 
(LaBit is linear locally reducible to WaBit) will follow by the fact that the local transformations 
are reversible in linear time. One can check that for all j = 1, . . . , r, [xj\f^ is a correct authenticated 
bit. Namely, from the box LaBit we get that for all i = 1, . . . ,i, Ni = Li (B yiFs. In particular 
the j-th bit satisfies Ni^j = Lij © yi{FB)j, which can be rewritten (using the same renaming as 
in the protocol) as Kj^i = Mj^i © (I^^)jXj, and therefore Mj = Kj © XjF^, as we want. It is easy 
so see (as the protocol only consists of renamings) that leakage on the choice bits is equivalent to 
leakage on the global key under this transformation, and guesses on Fa are equivalent to guesses 
on (yi, ...,?/,-), so giving a simulation argument is straight-forward when C is the same for both 
boxes. □ 
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Note that since we turn LaBit^(£,T) into WaBit^(T,£), if we choose I = poly('0) we can turn 
a relatively small number (r = ^V') of authenticated bits towards one player into a very larger 
number {£) of authenticated bits towards the other player. 

4.3 A Protocol For Bit Authentication With Leaking Bits 

In this section we show how to construct authenticated bits starting from OTs. The protocol ensures 
that most of the authenticated bits will be kept secret, as specified by the LaBit box in Fig. [101 

The main idea of the protocol, described in Fig. [121 is the following: many authenticated bits 
[UiIb for B are created using OTs, where A is supposed to input messages (Li, Li © Ib). To check 
that A is using the same Fb in every OT, the authenticated bits are randomly paired. Given a pair 
of authenticated bits [yils, [UjjB, A and B compute [zjje = [UijB ® [yj]B © di where di = yi® yj is 
announced by B. If A behaved honestly, she knows the MAC that B holds on Zi, otherwise she has 1 
bit of entropy on this MAC, as shown below. The parties can check if A knows the MAC using the 
EQ box described in App. [2l As B reveals yi(Byj, they waste [yjjs and only use [y^Je as output from 
the protocol — as yj is uniformly random yj © yj leaks no information on yj. Note that we cannot 
simply let A reveal the MAC on Zi, as a malicious B could announce 1 © z^: this would allow B to 
learn a MAC on Zi and 1 © at the same time, thus leaking Fb- Using EQ forces a thus cheating 
B to guess the MAC on a bit which he did not see, which he can do only with negligible probability 
2-^. 



1. A samples Fb Gr {0, 1}* and for i = 1, . . . , T samples Li Gr {0, 1}^, where T — 2r. 

2. B samples (yi, ... ,j/r) Sr {0, 1}^. 

3. They run T OTs, where for i — 1,...,T party A offers (yi,o,5^i,i) = {Li, Li ® Fb) and B selects i/i and 
receives A''^ = Yi^y. = L; © j/i-Ts. Let [j/iJb, • • • , [j/tIb be the candidate authenticated bits produced so far. 

4. B picks a uniformly random pairing vr (a permutation vr : {1, . . . , T} — ^ {1, . . . , T} where Vi, 7r(7r(i)) = i), 
and sends n to A. Given a pairing n, let S{tt) = {i\i < 7r(i)}, i.e., for each pair, add the smallest index to 
S{n). 

5. For all r indices i £ <5(7r): 

(a) B announces di = yi (B y^(i). 

(b) A and B compute [z,]b = [yi]B ffi [y7r{i)]B ffi di. 

(c) Let Zi and Wi be the MAC and the local key for Zi held by A respectively B. They compare these using 
EQ and abort if they are different. 

The r comparisons are done using one call on the r^-bit strings {Zi)i^s(w) and {Wi)i^si^^y 

6. For all i £ S{n) A and B output [yi]B- 

Fig. 12. The protocol for reducing LaBit(T,/) to OT(2t,£) and EQ(r^). 

Note that if A uses different Fb in two paired instances, Fi and Fj say, then the MAC held by B 
on yi © yj (and therefore also z,) is (Lj © yiFi) ffi {Lj © yjFj) = {Li © Lj) © (yj © yj)Fj ffi yi{Fi © Fj). 
Since {Fi (B Fj) ^ 0^ and yi ffi yj is fixed by announcing di, guessing this MAC is equivalent to 
guessing yi. As A only knows Li,Lj,Fi,Fj and y^ ffi yj, she cannot guess yi with probability better 
than 1/2. Therefore, if A cheats in many OTs, she will get caught with high probability. If she only 
cheats on a few instances she might pass the test. Doing so confirms her guess on yj in the pairs 
where she cheated. Now assume that she cheated in instance i and offered {Li, Li © F^) instead of 
{Li, Li © Fb)- After getting her guess on yi confirmed she can explain the run as an honest run: If 
yi = 0, the run is equivalent to having offered {Li, Li © Fb), as B gets no information on the second 
message when yj = 0. If yj = 1, then the run is equivalent to having offered {L'-,L'- © Fb) with 
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L'- = Li (B [Fb © r'^), as L'- Fb = Li® Lb and B gets no information on the first message when 
Ui = 1. So, any cheating strategy of A can be simulated by letting her honestly use the same Lb in 
all pairs and then let her try to guess some bits yj. If she guesses wrong, the deviation is reported 
to B. If she guesses right, she is told so and the deviation is not reported to B. This, in turn, can 
be captured using some appropriate class of leakage functions C Nailing down the exact C needed 
to simulate a given behavior of A, including defining what is the "right" Fb, and showing that the 
needed C is always K-secure is a relatively straight-forward but very tedious business. The proof of 
the following theorem can be found in App. |D1 

Theorem 4. Let k = |t, and let C he a k secure leakage function on r bits. The protocol in Fig. [7^ 
securely implements LaBit'^(r, ^) in the (0T(2r, £), EQ(r^))-/i2/6n(i model. The communication is 
0{t'^). The work is 0{t£). 

Corollary 1. Let ip denote the security parameter and let I = poly(^). The box aBit{£,ip) can be 
reduced to {OT{^'ip,'ilj),'EQ{ip)). The communication is 0{ip£ + tp"^) and the work is 0{ijp'l). 

Proof. Combining the above theorems we have that aBit(^, V') can be reduced to 
(OT(^'0, £), EQ(^'0£)) with communication 0(^^) and work 0{ijP't). For any polynomial ^, we can 
implement OT{^ip,i) given OT(^'0,'0) and a pseudo-random generator prg : {0,1}'^ — ?■ {0,1}^. 
Namely, seeds are sent using the OTs and the prg is used to one-time pad encrypt the messages. The 
communication is 2£. If we use the RO to implement the pseudo-random generator and count the 
hashing of k bits as 0{k) work, then the work is 0{£ip). We can implement EQ(^'i/'£) by comparing 
short hashes produced using the RO. The work is 0{ip£). □ 

Since the oracles (OT(^'0, ip),EQ{'ip)) are independent of £, the cost of essentially any reasonable 
implementation of them can be amortized away by picking i large enough. See App. [A] for a more 
detailed complexity analysis. 



Efficient OT Extension: We notice that the WaBit box resembles an intermediate step of the 
OT extension protocol of |IKNP03) . Completing their protocol (i.e., "hashing away" the fact that 
all messages pairs have the same XOR), gives an efficient protocol for OT extension, with the same 
asymptotic complexity as |HIKN08j . but with dramatically smaller constants. See App.|E]for details. 



5 Authenticated Oblivious Transfer 



aOT 



In this section we show how to implement aOTs. We implemented aBits in Sect. HI so what re- 
mains is to show how to implement aOTs from aBits i.e., to implement the J-deal box when it 
outputs [xo]ai [3^i]a) [c]b) [z]b with z = c(xo (Bxi) (Bxq = Xc- Because of symmetry we only show the 
construction of aOTs from aBits with A as sender and B as receiver. 

We go via a leaky version of authenticated OT, or LaOT, described 
in Fig. [Ml The LaOT box is leaky in the sense that choice bits may leak 
when A is corrupted: a corrupted A is allowed to make guesses on choice 
bits, but if the guess is wrong the box aborts revealing that A is cheating. 
This means that if the box does not abort, with very high probability A 
only tried to guess a few choice bits. 

The protocol to construct a leaky aOT (described in Fig. [T5|) proceeds 



LaOT 

/\ 

aBit EQ 
Fig. 13. Sect. [5] outline. 



as follows: First A and B get [xo]ai [xi]a (A's messages), [c]b (B's choice bit) and [r]B- Then A 
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Honest Parties: For i = 1, . . . the box outputs random [xo]a, [x\]a, [c']b, [2*]b with z' = c^{xq ® x\) ® Xq. 
Corrupted Parties: 

1. If B is corrupted he gets to choose all his random values. 

2. If A is corrupted she gets to choose all her random values. Also, she may, at any point before B received 
his outputs, input {i,gi) to the box in order to try to guess Ci. li Ci =^ gi the box will output fail 
and terminate. Otherwise the box proceeds as if nothing has happened and A will know the guess was 
correct. She may input as many guesses as she desires. 

Global Key Queries: The adversary can at any point input (A, Z\) and will be returned whether A = Ab- 
And it can at any point input (B, A) and will be returned whether A = Aa- 

Fig. 14. The Leaky Authenticated OT box LaOT(£) 

transfers the message z = Xc to B in the fohowing way: B knows the MAC for his choice bit 
Mc, while A knows the two keys Kc and Ab- This allows A to compute the two possible MACs 
{Kc,Kc ® Ab) respectively for the case of c = and c = 1. Hashing these values leaves A with 
two micorrclatcd strings H{Kc) and H{Kc © Ab), one of which B can compute as H(AIc). These 
values can be used as a one-time pad for A's bits xo,xi (and some other values as described later), 
and B can retrieve Xc and announce the difference d = Xc ® r and therefore compute the output 
[z]b = [r]B®d. 



The protocol runs £ times in parallel, here described for a single leaky authenticated OT. 

1. A and B get [a;o]A, [a;i]A, [c]b, Hb from the dealer. 

2. Let [xo]a = ixo,M^^,K^^), [xi]a = {xi, M^,, K^,), [c]b = {c,M,,Kc), [rje = {r,Mr,Kr). 

3. A chooses random strings To,Ti € {0, 1}''. 

4. A sends {Xo,Xi) to B where Xo = H{Kc) © {xo\\M^o\\Txo) and Xi = H(Kc®Ab) ® (a;i||Ma,i HTa^J. 

5. B computes (a^d |Ma;J |Ta; J = Xc® H{Mc). B aborts if M^^^ / K^:, ffi XcAa- Otherwise, let z = Xc- 

6. B announces d = z (B r to A and the parties compute [z]b = [rjs ffi d. Let [z]b = {z, M^, Kz). 

7. A sends (/o, /i) to B where lo = H{Kz) Ti and Ji = H{Kz © As) © To. 

8. B computes Ti®^ = 7^ © H{Mz). Notice that now B has both {To,Ti). 

9. A and B both input (To,Ti) to EQ. The comparisons are done using one call to EQ{£2k). 
10. If the values are the same, they output [xo]a, [a;i]A, [c]b, [z]b- 

Fig. 15. The protocol for authenticated OT with leaky choice bit 

In order to check if A is transmitting the correct bits xo,xi, she will transfer the respective 
MACs together with the bits: as B is supposed to learn Xc, revealing the MAC on this bit does not 
introduce any insecurity. However, A can now mount a selective failure attack: A can check if B's 
choice bit c is equal to, e.g., by sending xq with the right MAC and xi together with a random 
string. Now if c = B only sees the valid MAC and continues the protocol, while if c = 1 B aborts 
because of the wrong MAC. A similar attack can be mounted to check if c = 1. We will fix this later 
by randomly partitioning and combining a few LaOTs together. 

On the other hand, if B is corrupted, he could be announcing the wrong value d. In particular, 
A needs to check that the authenticated bit [z]b is equal to Xc without learning c. In order to do 
this, we have A choosing two random strings To,Ti, and append them, respectively, to xo,Xi and 
the MACs on those bits, so that B learns Tc together with Xc- After B announces d, we can again 
use the MAC and the keys for z to perform a new transfer: A uses H{Kz) as a one-time pad for Ti 
and H{Kz ® Ab) as a one-time pad for Tq. Using M^, the MAC on z, B can retrieve Ti^^- This 
means that an honest B, that sets z = Xc, will know both Tq and Ti, while a dishonest B will not 
be able to know both values except with negligible probability. Using the EQ box A can check that 
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B knows both values Tq,Ti. Note that we cannot simply have B openly announce these values, as 
this would open the possibility for new attacks on A's side. The proof of the following theorem can 
be found in App. [Fj 

Theorem 5. The protocol in Fig. [Insecurely implements LaOT(^) in the (aBit(4^, k), EQ(2£k))- 
hybrid model. 

To deal with the leakage of the LaOT box, we let B randomly partition the LaOTs in small 
buckets: all the LaOTs in a bucket will be combined using an OT combiner (as shown in Fig. I16p. in 
such a way that if at least one choice bit in every bucket is unknown to A, then the resulting aOT 
will not be leaky. The overall protocol is secure because of the OT combiner and the probability 
that any bucket is filled only with OTs where the choice bit leaked is negligible, as shown in App. [G] 



1. A and B generate £' — B£ authenticated OTs using LaOT(f'). If the box does not abort, name the outputs 

{[xhU,[x\U,[c%,[z^s}ti. 

2. B sends a _B-wise independent permutation tt on {1, . . . ,£'} to A. For j = 0, ...,£— 1, the B quadruples 
{[x;^%, [xl'-%, [c"('']b, [z'^^'leHf are defined to be in the j'th bucket. 

3. We describe how to combine two OTs from a bucket, call them [xJJa, [a;i]A, [c^]b, [z^]b and 
[xq]a, [xi]a, [c'^]b, [z'^]b. Call the result [xo]a, [xi]a, [c]b, [z]b. To combine more than two, just iterate by taking 
the result and combine it with the next leaky OT. 

(a) A reveals d = xl ® xl ® Xq (B x^. 

(b) Compute: [c]b = \c% © [c^]b, [z]b = [2^]b © [z\ © d[c%, [xo]a = [xJ]a © [xqU, [xi]a = [xI]a © [a;?]A. 

Fig. 16. From Leaky Authenticated OTs to Authenticated OTs 



aBit EQ 



Theorem 6. Let aOT{i) denote the box which outputs i aOTs as in Jx)eal- -(/(log2(^) + l)(-B — 1) > 
■0, then the protocol in Fig. [721 securely implements aOT(i) in the LaOT (Bi) -hybrid model with 
security parameter ■0. 

a AND 

6 Authenticated local AND | 

In this section we show how to generate aAND, i.e., how to implement LaAND 
the dealer box when it outputs [x]a, [y]A, [z]a with z = xy. As usual, as / \ 

aAND for B is symmetric, we only present how to construct aAND for A. 

We first construct a leaky version of aAND, or LaAND, described in 
Fig. [181 Similar to the LaOT box the LaAND box may leak the value x to Fig. 17. Sect. [6] outline. 
B, at the price for B of being detected. The intuition behind the protocol 

for LaAND, described in Fig. [191 is to let A compute the AND locally and then authenticate the 
result. A and B then perform some computation on the keys and MACs, in a way so that A will 
be able to guess B's result only if she behaved honestly during the protocol: A behaved honestly 
(sent d = z (B r) iS she knows Wq = {Kx\\Kz) or Wi = (K^ © ® Kz)- In fact, she knows 

Wx. As an example, if x = and A is honest, then z = 0, so she knows = and = K^- 
Had she cheated, she would know = © A a instead of Kz. B checks that A knows Wq or 
Wi by sending her H{Wq) ®H{Wi) and ask her to return H{Wq). This, however, allows B to send 
-f^(^o) © H{Wi) © E for an error term S / O''. The returned value would be H{Wo) © xE. To 
prevent this attack, they use the EQ box to compare the values instead. If B uses E ^ 0'^, he must 
now guess x to pass the protocol. However, B still may use this technique to guess a few x bits. We 
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fix this leakage later in a way similar to the way we fixed leakage of the LaOT box in Sect. [5j The 
proof of the following theorem can be found in App. [H] 

Theorem 7. The protocol in Fig. \19\ securely implements LaAND(^) in the (aBit(3^, k), EQ(£k))- 
hybrid model. 



Honest Parties: For i = 1, . . . the box outputs random [xi]/^, [j/i]A, [zi]fi, with Zi = Xiyi. 
Corrupted Parties: 

1. If A is corrupted she gets to choose all her random values. 

2. If B is corrupted he gets to choose all his random values, including the global key Aa- Also, he may, 
at any point prior to output being delivered to A, input {i,gi) to the box in order to try to guess Xi. 
If gi 7^ Xi the box will output fail to A and terminate. Otherwise the box proceeds as if nothing has 
happened and B will know the guess was correct. He may make as many guesses as he desires. 

Global Key Queries: The adversary can input A and will be told if A — Aa- 

Fig. 18. The box LaAND(^) for £ Leaky Authenticated local AND. 



The protocol runs £ times in parallel. Here described for a single leaky authenticated local AND: 

1. A and B ask the dealer for [x]^, [j/Ja, Ha- (The global key is Aa)- 

2. A computes z = xy and announces d = z (Br. 

3. The parties compute [z]/s, = [r]A ffi d. 

4. B sends U = H{K^\\K,) H{K^ ffi AA\\Ky ffi K,) to A. 

5. lix = 0, then A lets V = H{M4\M^). If x = 1, then A lets V = U ® H{M^\\My ffi M^). 

6. A and B call the EQ box, with inputs V and H{Kx\\Kz) respectively. All the I calls to EQ are handled using 
a single call to EQ(£k). 

7. If the strings were not different, the parties output [xJa, [j/]a, [z\a. 

Fig. 19. Protocol for authenticated local AND with leaking bit 

We now handle a few guessed x bits by random bucketing and a straight-forward combiner. In 
doing this efficiently, it is central that the protocol was constructed such that only x could leak. 
Had B been able to get information on both x and y we would have had to do the amplification 
twice. 



The protocol is parametrized by positive integers B and I. 

1. A and B call LaAND(^') with I' = Bl. If the call to LaAND aborts, this protocol aborts. Otherwise, let 
{[x,]a, [yi\^, [2i]A}j=i be the outputs. 

2. A picks a B-wise independent permutation tt on {1, . . . ,£'} and sends it to B. For j = 0, 1, the B 
triples {[a;^(i)]A, [i/,r(i)]A, [Zvr(i)]A}if ^^^i are defined to be in the j'th bucket. 

3. The parties combine the B LaANDs in the same bucket. We describe how to combine two LaANDs, call 
them [a:^]A, [j/^]a, [z^]k and [x'^]a, [y'^]^, [z^]^ into one, call the result [x]^, [y]f,, [z\^■. 

(a) A reveals d = y^ ®y^ . 

(b) Compute [a;]A = [a;^]A ffi [x%, [y\^ = [y% and [zJa = [z^\a ffi [z% ffi d[x^\F,. 

To combine all B LaANDs in a bucket, just iterate by taking the result and combine it with the next element 
in the bucket. 

Fig. 20. From Leaky Authenticated local ANDs to Authenticated local ANDs 
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Similar to the the way we removed leakage in Sect. [5] we start by producing B£ LaANDs. Then 
we randomly distribute the Bi LaANDs into i buckets of size B. Finally we combine the LaANDs 
in each bucket into one aAND which is secure if at least one LaAND in the bucket was not leaky. 
The protocol is described in Fig. [20l The proof of Thm. [8] can be found in App. HI 

Theorem 8. Let aAND(£) denote the box which outputs i aANDs as in /"deal- If (^og2{i) + 1){B — 
1) ^ '07 then the protocol in Fig. \20\ securely implements aAND(£) in the haAND^Bi) -hybrid model 
with security parameter ip. 

This completes the description of our protocol. For the interested reader, a diagrammatic recap 
of the construction is given in App. [jj 

7 Experimental Results 

We did a proof-of-concept implementation in Java. The hash function in our protocol was im- 
plemented using Java's standard implementation of SHA256. The implementation consists of a 
circuit-independent protocol for preprocessing all the random values output by J-beal, a framework 
for constructing circuits for a given computation, and a run-time system which takes preprocessed 
values, circuits and inputs and carry out the secure computation. 

We will not dwell on the details of the implementation, except for one detail regarding the 
generation of the circuits. In our implementation, we do not compile the function to be evaluated 
into a circuit in a separate step. The reason is that this would involve storing a huge, often highly 
redundant, circuit on the disk, and reading it back. This heavy disk access turned out to constitute 
a significant part of the running time in an earlier of our prototype implementations which we 
discarded. Instead, in the current prototype, circuits are generated on the fly, in chunks which are 
large enough that their evaluation generate large enough network packages that we can amortize 
away communication latency, but small enough that the circuit chunks can be kept in memory 
during their evaluation. A circuit compiled is hence replaced by a succinct program which generates 
the circuit in a streaming manner. This circuit stream is then sent through the runtime machine, 
which receives a separate stream of preprocessed J^OEAL-values from the disk and then evaluates the 
circuit chunk by chunk in concert with the runtime machine at the other party in the protocol. The 
stream of preprocessed J-DEAL-values from the disk is still expensive, but we currently see no way to 
avoid this disk the random nature of the preprocessed values seems to rule out a succinct 

representation. 

For timing we did oblivious ECB-AES encryption. (Both parties input a secret 128-bit key re- 
spectively Kb, defining an AES key K = Ka(BKb- A inputs a secret £-block message (mi, . . . , mi) G 
{0, 1}128^. B learns {EK{mi), EK{mi>)).) We used the AES circuit from |PSSWn9| and we thank 
Benny Pinkas, Thomas Schneider, Nigel P. Smart and Stephen C. Williams for providing us with 
this circuit. 

The reason for using AES is that it provides a reasonable sized circuit which is also reason- 
ably complex in terms of the structure of the circuit and the depth, as opposed to just running 
a lot of AND gates in parallel. Also, AES has been used for benchmark in previous implementa- 
tions, like [PSSW09] . which allows us to do a crude comparison to previous implementations. The 
comparison can only become crude, as the experiments were run in different experimental setups. 

In the timings we ran A and B on two different machines on Anonymous University's intranet 
(using two Intel Xeon E3430 2.40GHz cores on each machine). We recorded the number of Boolean 
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Fig. 21. Timings. Left table is average over 5 runs. Riglit table is from single runs. Units are as follows: I is immber 
of 128-bit blocks encrypted, G is Boolean gates, a is bits of security, Tpre, Toni, Ttot are seconds. 



gates evaluated (G), the time spent in preprocessing (Tpj-e) and the time spent by the run-time 
system (Toni). In the table in Fig. [21] we also give the amortized time per AES encryption (Ttot/^ 
with Ttot == Tpre + Toni) and the number of gates handled per second (G/Ttot)- The time Tpre covers 
the time spent on computing and communicating during the generation of the values preprocessed 
by Jt)eali and the time spent storing these value to a local disk. The time Toni covers the time 
spent on generating the circuit and the computation and communication involved in evaluating the 
circuit given the values preprocessed by J-deal- 

We work with two security parameters. The computational security parameter k specifies that 
a poly-time adversary should have probability at most poly(K)2^'' in breaking the protocol. The 
statistical security parameter a specifies that we allow the protocol to break with probability 2'" 
independent of the computational power of the adversary. As an example of the use of k, our keys 
and therefore MACs have length k. This is needed as the adversary learns H{Ki) and H{Ki® A) in 
our protocols and can break the protocol given A. As an example of the use of a, when we generate 
i gates with bucket size B, then a < (logaC^) + 1){B - 1) due to the probability (2£)i--^ that 
a bucket might end up containing only leaky components. This probability is independent of the 
computational power of the adversary, as the components are being bucketed by the honest party 
after it is determined which of them are leaky. 

In the timings, the computational security parameter has been set to 120. Since our implemen- 
tation has a fixed bucket size of 4, the statistical security level depends on L In the table, we specify 
the statistical security level attained {a means insecurity 2~^). At computational security level 120, 
the implementation needs to do 640 seed OTs. The timings do not include the time needed to do 
these, as that would depend on the implementation of the seed OTs, which is not the focus here. 
We note, however, that using, e.g., the implementation in |PSSW09] . the seed OTs could be done 
in around 20 seconds, so they would not significantly affect the amortized times reported. 

The dramatic drop in amortized time from £ = 1 to = 27 is due to the fact that the preproces- 
sor, due to implementation choices, has a smallest unit of gates it can preprocess for. The largest 
number of AES circuits needing only one, two, three, four and five units is 27, 54, 81, 108 and 135, 
respectively. Hence we preprocess equally many gates when £ = 1 and d. = 27. 

As for total time, we found the best amortized behavior at = 54, where oblivious AES encryp- 
tion of one block takes amortized 1.6 seconds, and we handle 21,623 gates per second. As for online 
time, we found the best amortized behavior at £ = 2048, where handling one AES block online takes 
amortized 32 milliseconds, and online we handle 1,083,885 gates per second. We find these timings 
encouraging and we plan an implementation in a more machine-near language, exploiting some of 
the findings from implementing the prototype. 
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A Complexity Analysis 



We report here on the complexity analysis of our protocol. As showed in Corollary [T] the protocol 
requires an initial call to an ideal functionality for (OT(^'0, ■0), EQ(^/^)). After this, the cost per 
gate is only a number of invocations to a cryptographic hash function H. In this section we give 
the exact number of hash functions that we use in the construction of the different primitives. As 
the final protocol is completely symmetric, we count the total number of calls to H made by both 
parties. 

Equality EQ: The EQ box can be securely implemented with 2 calls to a hash function H. 
Authenticated OT aOT: Every aOT costs iB calls to aBit, 2B calls to EQ, and QB calls to H, 

where B is the "bucket size". 
Authenticated AND aAND: Every aAND costs 3B calls to aBit, B calls to EQ, and 3B calls to 

H, where B is the "bucket size". 
2PC Protocol, Input Gate: Input gates cost 1 aBit. 
2PC Protocol, AND Gate: AND gates cost 2 aOT, 2 aAND, 2 aBit. 
2PC Protocol, XOR Gate: XOR gates require no calls to H. 

The cost per aBit, in the protocol described in the paper, requires 59 calls to H. However, using 
some further optimizations (that are not described in the paper, as they undermine the modularity 
of our constructions) we can take this number down to 8. 

By plugging in these values we get that the cost per input gate is 59 calls to H (8 with opti- 
mizations), and the cost per AND gate is 8565 + 118 calls to H (1425 + 16 with optimizations). 
The implementation described in Sect. [7] uses the optimized version of the protocol and buckets of 
fixed size 4, and therefore the total cost per AND gate is 584 calls to H. 

As described in Sect. [3] we can greatly reduce communication complexity of our protocol by 
deferring the MAC checks. However, this trick comes at cost of two calls to H (one for each player) 
every time we do a "reveal". This adds 2B hashes for each aOT and aAND and in total adds 85 + 20 
hashes to the cost each AND gate. This added cost is not affected by the optimization mentioned 
above. 

B Proof of Thm. [1] 

The simulator can be built in a standard way, incorporating the J-deal box and learning all the 
shares, keys and MACs that the adversary was supposed to use in the protocol. 

In a little more detail, knowing all outputs from Jt)eal to the corrupted parties allows the 
simulator to extract inputs used by corrupted parties and input these to the box J^2PC on behalf 
of the corrupted parties. As an example, if A is corrupted, then learn the xa sent to A by J^beal 
in Input and observe the value xb sent by A to B. Then input x = xa_ (B xb to J-2PC- This is the 
same value as shared by [x] = [xa\xb] in the protocol. 

Honest parties are run on uniformly random inputs, and when a honest party (A say) is supposed 
to help open [x], then the simulator learns from -F2PC the value x' that [x] should be opened to. 
Then the simulator computes the share xb that B holds, which is possible from the outputs of 
•^Deal to B. Then the simulator learns the key K^^^ that B uses to authenticate x^, which can also 
be computed from the outputs of J-deal to B. Then the simulator lets xa = x' ® xb and and lets 
Mj,^ = K:^^ e xaKxa and sends (xa, M^.^) to B. 
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The simulator aborts if the adversary ever successfully sends some inconsistent bit, i.e., a bit 
different from the bit it should send according to the protocol and its outputs from 7t)eal- 

It is easy to see that the protocol is passively secure and that if the adversary never sends an 
inconsistent bit, then it is perfectly following the protocol up to input substitution. So, to prove 
security it is enough to prove that the adversary manages to send an inconsistent bit with negligible 
probability. However, sending an inconsistent bit turns out to be equivalent to guessing the global 
key A. 

We now formalize the last claim. Consider the following game z)ij played by an attacker A: 

Global key: A global key A {0, l}** is sampled with some distribution and A might get side 
information on A. 

MAC query I: If A outputs a query (mac, 6, Z), where b G {0, 1} and I is a label which A did not 

use before, sample a fresh local key K {0, 1}'', give M = K ® bA to A and store (l, K, b). 
Break query I: If A outputs a query (break, ai,li, . . . ,ap,lp, M'), where p is some positive integer 
and values {li, Ki,bi), . . . , (Ip, Kp,bp) are stored, then let K = (B^^-^^aiKi and b = ©^^j^ajftj. If 
M' = K (B {I (Bb)A, then A wins the game. This query can be used only once. 

We want to prove that if any A can win the game with probability q, then there exist an adversary 
B which does not use more resources than A and which guesses A with probability q without doing 
any MAC queries. Informally this argues that breaking the scheme is linear equivalent to guessing 
A without seeing any MAC values. 

For this purpose, consider the following modified game Djiji played by an attacker A: 

Global key: No change. 

MAC query II: If A outputs a query (mac, b, I, M), where b € {0, 1} and I is a label which A did 

not use before and M € {0, l}**, \et K = M ®bA and store (Z, K, b). 
Break query II: If A outputs a query (break. A') where A' = A, then A wins the game. This 

query can be used only once. 

We let Djij be the hybrid game with MAC query II and Break query I. 

We say that an adversary A is no stronger than adversary B if A does not perform more queries 
than B does and the running time of A is asymptotically linear in the running time of B. 

Lemma 1. For any adversary Aj j for Djj there exists an adversary Ajjj for Dnj which is no 
stronger than Ajj and which wins the game with the same probability as Ajj. 

Proof. Given an adversary Ajj for Dij, consider the following adversary Auj for Duj. The 
adversary Ajjj passes all side information on A to Aj j. If Aj j outputs (mac,6, Z), then A//j 
samples AI Gr, {0,1}'^, outputs (mac,6, Z,M) to Djjj and returns M to Ajj. If Aj j outputs 
(break, ai, /i, . . . , a^, Ip, M'), then Ajjj outputs (break, ai, /i, . . . , Op, Ip, M') to D//,/. It is easy to 
see that Au j makes the same number of queries as Ai j and has a running time which is linear in 
that of Al l, and that Anj wins with the same probability as Ajj. Namely, in D/^/ the value K is 
uniform and M = K ®bA. In z)iij the value M is uniform and K = M ® bA. This gives the exact 
same distribution on {K,M). □ 

Lemma 2. For any adversary Ajj j for Djjj there exists an adversary Ajjjj forDnji which is no 
stronger than Auj and which wins the game with the same probability as Anj. 
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Proof. Given an adversary Ajjj for Djij, consider the following adversary A//j/ for Diijj. The 
adversary Ajjjj passes any side information on A to Ajjj. If Ajjj outputs (mac, b, I, M), then Ajiji 
outputs {mac,b,l, M) to Djiji and stores {l,M,b). If Ajij outputs (break, ai, /i, Op, /p, M'), 
where values (Zi, Mi, 61), . . . , {Ip, Mp, bp) are stored, then let M = ©|L^OjMj and b = ©^^^^aj^j and 
output (break, M © M'). For each (/j, Mj, bi) let ii'j be the corresponding key stored by Djjjj. We 
have that Mj = ii'j © 6i © Z\, so if we let K = ®i^iaiKi, then M = K ®bA. Assume that Anj 
would win D//,/, i.e., M' = K®{l®b)A. This implies that MffiM' = K © 6Z\ © © (1 © 6)Z\ = Z\, 
which means that Ajjjj wins Djjjj. □ 

Consider then the following game D/j played by an attacker A: 

Global key: No change. 

MAC query: No MAC queries are allowed. 

Break query II: No change. 

Lemma 3. For any adversary An, 11 for Djiji there exists an adversary Ajj for D// which is no 
stronger than Ajjjj and which wins the game with the same probability as Ajijj. 

Proof. Let Ajj = Ajj jj. The game Dji simply ignores the MAC queries, and it can easily be seen 
that they have no effect on the winning probability, so the winning probability stays the same. □ 

Corollary 2. For any adversary Aj j for Djj there exists an adversary Ajj for Dji which is no 
stronger than Ajj and which wins the game with the same probability as Aj j. 

This formalizes the claim that the only way to break the scheme is to guess A. 
C Proof of Thm. [2] 

The simulator answers a global key query F to WaBit by doing the global key query AF on the 
ideal functionality aBit and returning the reply. This gives a perfect simulation of these queries, 
and we ignore them below. 

Correctness of the protocol is straightforward: We have that = K[ © x^Fa, so Mj = AM| = 
A.K[ © XiPlFa = Ki (B xiAa- Clearly the protocol leaks no information on the Xj's as there is only 
communication from B to A. It is therefore sufficient to look at the case where A is corrupted. We 
are not going to give a simulation argument but just show that Aa is uniformly random in the view 
of A except with probability 2'^~^ . Turning this argument into a simulation argument is straight 
forward. 

We start by proving three technical lemmas. 

Assume that £ is a class of leakage functions on r bits which is K-secure. Consider the following 
game. 

1. Sample Fa Gr {0,1}^. 

2. Get L ^ C from A and sample (5, c) L. 

3. Give {[j,[FA)j)}jes to A. 

4. Sample A Gr {0, l}'^''^ and give A to A. 

5. Let Aa = AFa- 
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We want to show that A a is uniform to A except with probabihty 2^"^^. When we say that A a 
is uniform to A we mean that Aa is uniformly random in {0, 1}''' and independent of the view of 
A. When we say except with probability 2^"^^ we mean that there exists a failure event F for which 
it holds that 

1. F occurs with probability at most 2^""^ and 

2. when F does not occur, then Aa is uniform to A. 

For a subset S C {1, . . . , r} of the column indices, let A"^ be the matrix where column j is equal 
to A-' if J G S* and column j is the vector if j ^ S. We say that we blind out column j with O's 
if j ^ S. Similarly, for a column vector v we use the notation vs to mean that we set all indices Vi 
where i 5 to be 0. Note that Avs = A^v. Let 5 = {1, . . . , r} \ S. 

Lemma 4. Let S be the indices of the bits learned by A and let A be the matrix in the game above. 
If spans {0, l}'^, then Aa is uniform to A. 

Proof. We start by making two simple observations. First of all, if A learns [Fa)] for j G 5, then it 
learns (1^)50, so it knows A[Fa)s = A'^I^^. The second observation is that AFa = A^ Fa + A^ Fa, 
as A = A'^ + A'^. The lemma follows directly from these observations and the premise: We have that 
A^ Fa is uniformly random in {0, l}'^ when the columns of A"^ span {0, l}*^. Since A'^7~^ = A(7~^)^ 
and {Fa)-^ is uniformly random and independent of the view of A it follows that A^Fa is uniformly 
random and independent of the view of A. Since A^ Fa is known by A it follows that A^ Fa + A^Fa 
is uniform to A. The proof concludes by using that A A = A^Fa + A^Fa- □ 

Lemma 5. Let W be the event that \S\ >t — n and c = 1. Fhen Pr \W] < . 

Proof. We use that 



T = an for a 



n 
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— £ is K-secure on r bits. 

Without loss of generality we can assume that A plays an optimal L G i.e., log2(E [c2''^l] " 
Since C is k secure on r bits, it follows that leak£ < t — k = ^t. This gives that 



E c2l' 



< 24" 



leak/:. 



which we use later. 

Now let W be the event that W does not happen. By the properties of conditional expected 
value we have that 



E 



c2l^l 



Pr [W] E 



c2l^W 



+ Pr [PF] E 



c2l^W 



When W happens, then \S\ > t — n = (a — l)n and c = 1, so c2l'^l = 2^^^ > 2^" This gives that 

E [c2I^I|Vf1 > 2(""^)" . 



Here we are looking at the string Fa as a column vector of bits. 
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Hence 



Combining with ([T|) we get that 



E 



c2l^ll > Pr [W^] 2^"-^)" 



Pr [W] < 24^-(°-i)" . 

It is, therefore, sufficient to show that — (a — l)n = —V', which can be checked to be the case by 
definition of r, a, n and ip. □ 

Lemma 6. Let xi, . . . ,Xn Gr {0, l}'^. Then xi, . . . ,x„ span {0, l}'^ except with probability 2^~^ . 

Proof. We only use that 

- n = I'i/'. 

Define random variables Yi, . . . ,Yn where 1^ = if xi, . . . ,Xi-i spans {0, 1}'^ or the span of 
Xi, . . . ,Xi-i does not include Xj. Let 1^ = 1 in all other cases. Note that if xi, . . . ,Xi-i spans 
{0, 1}^, then Pr [li = 1] = < ^ and that if xi, . . . , does not span {0, 1}'^, then they span at 
most half of the vectors in {0, 1}'^ and hence again Pr[Yi = 1] < i. This means that it holds for 
all Yi that Pr [1^ = 1] < ^ independently of the values of Yj for j ^ i. This implies that if we let 
Y = X;r=i Yi, then 

Pr [Y >^{a + n)]< 2e-'^'/2n ^ 

using the random walk bound. Namely, let Xi = 2Yi — 1. Then Xi € { — 1,1} and it holds for 
all i that Pr [Xj = 1] < | independently of the other Xj. If the Xi had been independent and 
Pr [Xi = 1] = Pr [Xi = —1] = ^, and X = "^^^i Xi, then the random walk bound gives that 



Pr [X >a]< 2e 



-a'^/2n 



Since we have that Pr [Xi = 1] < ^ independently of the other Xj, the upper bound applies also to 
our setting. Then use that X = 2Y — n. 

If we let a = then l{a + n) = l^; = n - iP and 2e~'^'/2n ^ 2e-(l'^)^ ^^'^"^ = 26"!^, and 
e~36 < i. It follows that Pr [y > n — ^] < 2^~^ . When Y < n — ip, then Yi = for at least ip values 
of i. This is easily seen to imply that xi, . . . ,Xn contains at least ip linear independent vectors. □ 

Recall that W is the event that |5j > t — n and c = 1. By Lemma [5] we have that Pr \W] < 
2~" < 2~^ . For the rest of the analysis we assume that W does not happen, i.e., IS"! < t — n and 
hence [S\ > r = ^ip. Since A is picked uniformly at random and independent of S it follows that 

^ip oi the columns in A'^ are uniformly random and independent. Hence, by Lemma IH they span 
{0, 1}''^ except with probability 2^~'^. We let D be the event that they do not span. If we assume 
that D does not happen, then by Lemma |4]Z\yi is uniform to A. I.e., if the event F = W U D does 
not happen, then Aa is uniform to A. And, Pr [F] < Pr [W] + Pr [D] < 2"^ + 2^"'^ < 22-^^. 

D Proof of Thm. H 

Notice that since we have to prove that we implement LaBit, which has the global key queries, it 
would be stronger to show that we implement a version of LaBit' which does not have these global 
key queries. This is what we do below, as we let LaBit denote this stronger box. 
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Given a pairing tt, let >S(7r) = < 7r(i)}, i.e., for each pair we add the smallest indexed to 
S{n). 

The cases where no party is corrupted and where B is corrupted is straight forward, so we will 
focus on the case that A is corrupted. 

The proof goes via a number of intermediary boxes, and for each we show linear reducibility. 

Approximating LaBit, Version 1 This box captures the fact that the only thing a malicious A 

can manage is to use different F's in a few bit authentications. 



Honest-Parties: As in LaBit. 
Corrupted Parties: 

1. If B is corrupted: As in LaBit. 

2. (a) If A is corrupted, then A inputs a functions col : {!,..., T} — > {1, . . . , T}. We tliink of col as assigning 

colors from {1, . . . , T} to T balls named 1, . . . , T. In addition A inputs Ai, . . . , Aj- £ {0, 1}^ and 
Li,...,Lre{0,l}^ 

(b) Then the box samples a uniformly random pairing tt : {!,..., T} — > {1, . . . . T} and outputs tt to A. 
We think of tt as pairing the T balls. Let <S = S{'k) and let M = {i £ S\ col('t) / col(7r(j))}. We call 
i G M a mismatched ball. 

(c) Now A inputs the guesses {{i,gi)}ieM- 

(d) The box samples (yi, . . . , yr) €r {0, 1}^. Then the box lets c = 1 if = ?/i for i € M, otherwise 
it lets c = 0. If c = the box outputs fail to B and terminates. Otherwise, for i € 5 it computes 

Ni = Li® j/i/lcoi(i) and outputs {{{Ni, yi)}ies to B. 

Fig. 22. The First Intermediate Box IBl 
Lemma 7. IBl is linear reducible to (0T(2r, ^), EQ(r£)). 

Proof. By observing A's inputs to the OTs, the simulator learns all {Yifi,Yi^i). Let Lj = Yi^ and 

ri = Yifi®Yi^i. 

Let / = and pick distinct Ai,. . . ,Af and col : {1, . . . , T} — ^ {1, . . . , T} such that 

Fi = ^coi(i) • By construction 

Yi,i = Yi^o e (Yi^o © 

= Li®ri 

= Li® ^col(«) • 

Input col and Ai,. . . ,Af and Li, . . . , Lj- to IBl on behalf of A and receive tt. Send tt to A as if 
coming from B along with uniformly random {di}i^s- 

Then observe the inputs Zi from A to the EQ box. 

The simulator must now pick the guesses gi for i ^ M. Note that i ^ M implies that vl(,oi(i) 7^ 
^coi(7r(i))) which implies that ^ ^^^{i)- We use this to pick g^, as follows: after seeing di, A knows 
that either {yi,yT^(i)) = (0, dj) or {yi,yT^[i)) = (1,1 © di). Hence an honest B would input to the 
comparison the following value depending on yj 

Wi{yi) = {Li © © diylcoi(^(j))) © 2/i(4oi(i) © 4oi(7r(i))) • 

As z G Ai, the mismatched set, vl^o^j) 7^ ^coi(7r(i)) and therefore Wi{0) ^ Wi{l). Therefore if A's 
input to the EQ box Zi is equal to VFj(O) (resp. Wi{l)), the simulator inputs a guess gi = (resp. 
gi = 1). In any other case, the simulator outputs fail and aborts. 
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Notice that in the real-hfe protocol, if gi = yi, then Ni = Wi{yi) = Zi and A passes the test. If 
9i 7^ Vii then Ni = Wi{l © Cj) 7^ Zi and A fails the test. So, the protocol and the simulation fails on 
the same event. Note then that when the box does not fail, then it outputs 

Ni = Li® yi/lcoi(i) 
= Yifi © Vi^i 

— Y- 

exactly as the protocol. Hence the simulation is perfect. □ 

Approximating LaBit, Version 2 We now formalize the idea that a wrong I^- value is no worse 
that a leaked bit. 

We first need a preliminary definition of the most common color called coIq . If several colors are 
most common, then arbitrarily pick the numerically largest one. To be more precise, for each color 
c, let C(c) = {j G {1, . . . ,T}| col(j) = c}, let ao = maxc |C(c)| and let coIq = max{c|C(c) = ao|}. 

Consider the following box IB2 in Fig. [23] for formalizing the second idea. 



Honest-Parties: As in LaBit. 
Corrupted Parties: 

1. If B is corrupted: As in LaBit. 

2. (a) If A is corrupted, then A inputs a function col : {1, . . . , T} — )■ {1, . . . , T}. 

(b) Tiien tlie box samples a uniformly random pairing tt : {1, . . . , T} — > {1, . . . , T} and outputs vr to A. 
Let 5 = S(n) and M = {i G S\ col(j) / col(7r(i))}. 

(c) Now A inputs the guesses {{i, gi)}isM- 

(d) The box lets c = 1 if = j/i for i £ A4, otherwise it lets c = 0. If c = the box outputs fail to A 
and terminates. Otherwise, the box determines coIq. 

Then for i £ <S, if col(j) 7^ colo, the box outputs (i, yi) to A. Then A inputs Li, . . . , Lt G {0, 1}^ and 
Fb £ {0, 1}* and for i £ S the box computes Ni = Li (B ViTB- Then it outputs {(Ni, yi)}ies to B. 

Fig. 23. The Second Intermediate Box IB2 



Lemma 8. IB2 is linear locally reducible to IBl. 

Proof. The implementation of IB2 consist simply of calling IBl. 

The case where B or no party is corrupted is trivial, so assume that A is corrupted. Note that 
the simulator must simulate IB2 to the environment and is the one simulating IBl to the corrupted 
A. 

First the simulator observes the inputs col, Ai, . . . , A-j € {0, 1}^ and Li, . . . , Lj- € {0, 1}^ of A* 
to IBl and inputs col to IB2. 

Then IB2 outputs vr and the simulator inputs vr to A* as if coming from IBl, and computes A4 
as IBl and IB 2 would have done. 

Then the simulator observes the guesses {{i, gi)}i£M from A* to IBl and inputs {{i, gi)}i£M to 
IB2. If IB2 outputs fail to B the simulation is over, and it is perfect as IBl and IB2 fail based 
on the same event. If IB 2 does not fail it determines coIq and for i £ A4, if col(i) 7^ coIq, the box 
outputs {i,yi) to the simulator. The simulator can also determine coIq. 
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Now let Fb = AcoIq and for i G A4, if col(f) = coIq, let L'- = Li. Then for i G Ad, if co\{i) ^ coIq, 
let L- = {Li yi^col(i)) ® J/i-^s- Then input L[, . . . , Lf^ and -Tg to IB2. 

As a result IB2 will for i ^ S where col(i) = coIq, output L'^ © = Li® ?/i^colo) ^"^^ fo^' fo^' 
i (z S where col(i) 7^ coIq it will output L'- © yj/s = Lj © ?/i/lcoi(i)- Hence IB2 gives exactly the 
outputs that IBl would have given after interacting with A*, giving a perfect simulation. □ 

Approximate LaBit, Version 3 We now massage IB2 a bit to make it look like LaBit. As a step 
towards this, consider the box IBS in Fig. [Ml 



Honest-Parties: As in LaBit. 
Corrupted Parties: 

1. Corrupted B: As in LaBit. 

2. (a) If A is corrupted, then A inputs a function col : {1, . . . , T} — >■ {1, . . . , T}. 

(b) Tiien tiie box samples a uniformly random pairing n : {1, . . . , T} — > {!,..., T} and outputs tt to 
A. Let A4 — {i £ S\ col(i) 7^ col(7r(j))}. The box flips a coin c G {0, 1} with c — 1 with probability 
2-\M\ ^ If c = the box outputs fail to B and terminates. Otherwise, the box outputs success and 
the game proceeds. 

(c) Now A inputs the guesses {{i, gi)}ieM- 

(d) The box updates yi gi for i £ A4. Then the box determines coIq. Then for i = S \ M, if 
col(j) 7^ colo, the box outputs i to A who inputs gt £ {0, 1} and the box updates yi ^ gi- 

(e) Then A inputs Li, . . . , Lr £ {0, 1}* and Fb £ {0, lY and for i G 5 the box computes Ni = LiQyiFB- 
Then it outputs {{Ni,yi)}i^s to B. 

Fig. 24. The third Intermediate Box, IBS 



Lemma 9. IBS is linear locally reducible to IB2. 

Proof. It is easy to see that IBS is linear locally reducible to IB2 — again the implementation consist 
simply of calling IB2. To see this, consider first the change in how the box fails and how the yi for 
i ^ M. are set. In IB2 the box fails exactly with probability 2"l-'^l as the probability that Qi = yi 
for i € is exactly 2~I-'^L Furthermore, if IB2 does not fail, then yi = gi for i € M. So, this is 
exactly the same behavior as IBS, hence this change is really just another way to implement the 
same box. As for the second change, the simulator will input a uniformly random €r {0, 1} to 
IBS when IBS outputs i and will then show {i,yi) to the corrupted A* expecting to interact with 
IB2. □ 

We then argue that we can define a class C such that LaBit"^ is linear locally reducible to IBS. 
Let C be the following class. 

— A leakage function is specified by L = col, where col : {!,..., T} ^ {1, . . . , T}. 

— To sample a leakage function L = col, sample a uniformly random pairing tt : {1, . . . ,T} — > 
{1, . . . ,T}, let S = S{'k), let 77 : S{'k) {1, . . . ,r} be the order preserving permutation, let 
Al = {j € S\ col(j) 7^ col(7r(j))}, let c = 1 with probability 2~l-'^l and c = otherwise, let coIq 
be the most common color as defined before, let S" = U {j € S\ col(j) 7^ coIq}, S = tt{S') 
and output (c, S). 

Playing with IBS and LaBit^ will give the same failure probability and will allow to specify the 
same bits. The only difference is that when playing with LaBit"^, the corrupted A* does not get 
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to see vr, as LaBit does not leak the randomness used to sample the leakage function L. Below 
we argue that given c and S one can efficiently sample a uniformly random pairing vr which would 
lead to S given c. Turning this into a simulation argument is easy: the simulator will know c and S 
and will sample tt from these and show this vr to A*, hence perfectly simulating IBS. This gives the 
following lemma. 

Lemma 10. LaBit^(T, £) is linear locally reducible to IBS. 

The simulator knows col and S and it can determine coIq- From coIq the simulator can also 
compute 

T = 5\{iG {!,..., r}|col(j)/colo} 
= >[n{j € {!,..., r}| col(j) =colo} 
= {j G {1, . . . ,r}| col(j) = colo Acol(i) / col(^(j))} 
= {j € {1, . . . , T}\ col(j) = colo A col(7r(i)) / coIq} • 

This restriction is meet iff vr has the property that col(7r(j)) 7^ coIq for j € T and col(7r(j)) = coIq 
for j S Co \ T, where Cq = {j\ co\{j) = coIq}. Furthermore, any vr meeting this restrictions would 
lead to the observed value of vr. It is hence sufficient to show that we can sample a uniformly random 
vr meeting these restrictions. 

Let Cq = {!,..., T} \ Cq. Pick ttq : T — )• Cq to be a uniformly random injection on the specified 
domains. Pick vri : Cq\T ^ Cq similarly. Let 7r2 : T U Cq — s- {1, . . . , r} be defined by 'K2{j) = T^o{j) 
for j ^ T and vr2(j) = vri(j) for j E Cq U T. Since ttq and vri map into disjoint sets, this is again an 
injection. Now let tts : {1, . . . , r} \ (Cq U T) — )• {1, . . . , r} \ img(7r2) be a random permutation on the 
specified domains. Define vr from tt2 and tt^ as we defined tt2 from ttq and vri. Then it is easy to see 
that TT is a uniformly random permutation meeting the restrictions. The definition of tt shows how 
to sample it efficiently. 

Concluding the Proof Using the above theorem and lemmata and the fact that linear reducibility 
is transitive, we now have the following theorem. 

Corollary 3. LaBit'^(T,^) is linear reducible to (0T(2r,^),EQ(T^)). 

We now show that if we set k = |r, then C is K-secure. For this purpose we assign a price to 
each ball j G ^(vr). 

1. If col(j) / col(7r(j)), then let price^oi^^O') = 1. 

2. If col(i) = col(7r(j)) = colo, then let price^oi^^O') = 1. 
S. If col(j) = col(7r(j)) 7^ colo, then let price^.^! ^(j) = 0. 

Let price^oi ,, = Ylj^s Pricecou(j). 

Lemma 11. Consider an adversary A playing the game against L and assume that it submits 
L = col. Assume that the game uses tt. Then the success probability of A is at most 2~^'^^'^'^''°^-'^ . 

Proof. Define pncel^i^{j) as price^.^! ^(j) except that if col(j) = col(7r(j)) = colo, then 
PriceJ„i,^(i) = 0. Define price^^i as pricecoi,^(j) except that if col(j) / col(7r(i)), then 
W^c%oi,nU) = 0- Then price^^i = pricej^i + price2^i^^(j). Define pricej^i,^ and price^^j^^ 
by summing over j G S. Then price^^i^^ = pricej^j^^ + price^^j Note that \M-\ = price^.^! .^(j) 
and note that \S'\ = t — price^^j ^(j)!^] as the only balls j € 5 which do not enter S' are 

® Recall that S' is defined during the definition of £, above. 
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those for which col(j) = col(7r(j)) = coIq. We have that A wins if c = 1 and he guesses 
yn{j) for i G 5 \ S'. The probabiHty that c = 1 is 2-1-^1 = 2" p"'='=-i.-(J). We have that 
|5\S"| = — [S"| = r— (r — price^Qj ^(j)) = price^Qj ^(j). So, the probabihty that A guesses correctly 
2" P"=<^?oi..(i) . So, the overah success probabihty is 2" P"^'^coi..0)2- p^^^Ll.O) = 2" P"^^coi,.(i) . □ 
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Now let vr be chosen uniformly at random and let pnce^^K^j^ be the random variable describing 
pricecoi_^(j). Let price^oi = '^jQsP^^^^co\(j)- is then easy to see that the probability of winning 
the game on L = col is at most 

r 

succesScol = ^ Pr [price^oi = p] 2~^ . 

p=0 

For each price p, let Pp be an index variable which is 1 if pricej,Qj = p and which is otherwise. 
Note that E [Pp] = Pr [price^oi = p] , and note that ^^^q Pp2-P = 2" p^'^^coi as Pp = for p 7^ price^oi 
and Pp = 1 for p = price^oi. Then 



succesScoi = XI [pricecoi = p] 2 ^ 

p=0 

T 

= Y,^[P,]2-P 

p=0 



E 



p=0 

= E [2~P"'=^'=] 



E 



2-EjesP"cecO) 



Now let ^(x) =2 ^, and we have that 



succesScoi = E 

Since 0(x) is concave it follows from Jensen's inequality that 



J^pricecoiO')) 

ie5 



E 



(2Zp™^coi(j)) 



< 



E 



X]P™®col(j) 

ie5 



Hence 



succesScol S 

It follows that if we can compute tuq = miucoi Z^jg^ E [price(,oi(j)], then 2""^'^ is an upper bound on 
the best success rate. 

We say that L = col is optimal if Y^j^s ^ [P^i'^6^(j)] = rriQ, and now find an optimal L. 
We first show that there is no reason to use balls of color coIq in the optimal strategy. 
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Lemma 12. Let L = col he an optimal leakage function and let coIq = colo(col). Then there exist 
j such that col(j) 7^ coIq. 

Proof. Assume for the sake of contradiction that col(j) = coIq for j = 1,...,T. Then clearly 
J2j(^s [P'^icecoiO')] = T, and it is easy to see that there are strategies which do better than 2~'^ , so 
L cannot be optimal. □ 

Let coll, ■ ■ ■ , C0I7- be an enumeration of the colors different from coIq, i.e., {coIq, coli, . . . , C0I7-} = 
{1, . . . , T}. Let Ci be the balls with color colj, i.e., Ci = {j G {1, . . . , T}| col(j) = colj}. Note that 
{!,..., T} is a disjoint union of Ci, . . . , C7-. Let be the number of balls of color colj, i.e., Oj = \Ci\. 
Note that T = YlT=i 

With these definitions we have that 

r r 

[price^oi(i)] = ^ ^ E [price^oi(i)] . 

j=i j=i jeCi 

For a ball j G Co of color coIq we always have pricecoi(j) = ^, by definition of the price, so 

E [price^„i(j)] = ^ - = -ao . 

For a ball j G Cj for i > we have price^oiO) = if col(7r(j)) = colj and price(,oi(j) = ^ if 
col(7r(j)) / colj. We have that Tr{j) is uniform on {1, . . . ,T} \ {j}. Since col(j) = colj there are 
Oj — 1 balls A; G {1, . . . , T} \ {j} for which col(A;) = colj. So, 

. / M 1 (T- 1) - (a, - 1) 
E[price,„,0)] = 

1 T - aj 



which implies that 



2 r- 1 ' 



1 1 ^-r 2^ 



It follows that 



r-i ^ ^ r-i 



j=i jeCi 1=1 

1 1 ■^-^ "^-^ 



2T- - 

1=1 i=l 

1 1 . 



2r- 



-y(r(r-ao)-X«? 
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All in all we now have that 



111 ^"^ 

i=l 

1 IT" 11 2^ 

i=l 

1=1 

To minimize this expression we have to maximize oq + YlT=i^ ^i- I^^call that coIq is defined to be 
the most common color, so we must adhere to oq > fli for i > 0. Under this restriction it is easy to 
see that oq + Yl[=i maximal when oq = ai = T/2 and 02 = • • • aj- = 0, in which case it has 

the value T/2 + {T/2f. So, 

E [price,„i] = - \:f^iT/2 + {T/2f) 

^ 1 f - T/2 + {T/2f 
~ 2 T-1 

_ 1 4r2 - r - t2 _ 1 3r2 - r _ 1 3r - 1 1 3r _ 3 

~ 2 2r - 1 ~ 2 2r - 1 ~ 2^2r - 1 ^ 2'^27 ~ a'^ ~ ' 



r-i 

^ E[pricecoi(j)] 

i=0 j&Ci 



E Efficient OT Extension 



In this section we show how we can produce a virtually unbounded number of OTs from a small 
number of seed OTs. The amortized work per produced OT is linear in k, the security parameter. 

A similar result was proved in |HIKN08| . In |HIKN08] the amortized work is linear in k too, but 
our constants are much better than those of |HIKN08) . In fact, our constants are small enough to 
make the protocol very practical^ Since [HIKN08| does not attempt to analyze the exact complexity 
of the result, it is hard to give a concrete comparison, but since the result in |HIKN08) goes over 
generic secure multiparty computation of non-trivial functionalities, the constants are expected to 
be huge compared to ours. 

Let K be the security parameter. We show that OT{i,K) is linear reducible to (OT(|k;, k), 
EQ(|k2)) for any i = poly(K), i.e., given |k active-secure OTs of K-bit strings we can produce an 
essentially unbounded number of active-secure OTs of K-bit strings. The amortized work involved 
in each of these i OTs is linear in k, which is optimal. 

The approach is as follows. 

1. Use OT(|k,k) and a pseudo-random generator to implement OT(|ft;, £). 

^ As an example, our test run (see Sect. [7| with £ = 54 involved generating 44,826,624 aBits, each of which can 
be turned into one OT using two applications of a hash function. The generation took 85 seconds. Using these 
numbers, gives an estimate of 527,372 actively secure OTs per second. Note, however, that the generation involved 
many other things than generating the aBits, like combining them to aOTs and aANDs. 
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2. Use OT(|k,^) and EQ(|k^) to implement WaBit^ for I authentications with ^K-bit keys and 
MACs and with C being K-secure. 

3. Use a random oracle H : {0, Ijs'* {0, l}*^ and WaBit"^ for ^ authentications with |K-bit keys 
to implement 0T(^, k), as described below. 

Here, as in |HIKN08] . we consider a hashing of 0{k) bits to be linear work. The pseudo-random 
generator can be implemented with linear work using H. 

From WaBit to OT. As a first step, we notice that the aBit box described in Sect. 14.21 resembles 
an intermediate step of the passive-secure OT extension protocol of |IKNP03] : an aBit can be seen 
as a random OT, where all the sender's messages are correlated, in the sense that the XOR of the 
messages in any OT is a constant (the global key of the aBit). This correlation can be easily broken 
using the random oracle. In fact, even if few bits of the global difference A leak to the adversary, 
the same reduction is still going to work (for an appropriate choice of the parameters). Therefore, 
we are able to start directly from the box for authenticated bits with weak key, or WaBit described 
in Sect. WA\ 



1. For the sender S the box samples Xifi,Xi.\ Gr {0, 1}'' for i = 1, . . . , f . If S is corrupted, then it gets to 
specify these inputs. 

2. For the receiver R the box samples b — {bi , . . . , be) Gr {0, 1}^. If R is corrupted, then it gets to specify these 
inputs. 

3. The box outputs ((^i.bi , . . . , {Xe,bi , be)) to R and {{Xi^o, ^i,i), • ■ • , {Xefi,Xe,i)) to S. 

Fig. 25. The Random OT box ROT{£, k) 



1. Call WaBit^(f, The output to R is ((Mi, 6i), . . . , {Me, be)). The output to S is (A, Ki, . . . , Kt). 

2. R computes Yi — H{Mi) and outputs {{Yi, bi), . . . , {Ye, be)). 

3. S computes Xi,o = H{Ki) and — H{Ki © A) and outputs ((Xi,o, Xi^\), . . . , {Xe,o, Xe,i)). 

Fig. 26. The protocol for reducing ROT(£, «:) to WaBit'^(^, |k) 

Here k is the security level, i.e., we want to implement OT with insecurity poly(K)2~''. We are 
to use an instance of WaBit^ with slightly larger keys. Specifically, let r = Ik, as we know how to 
implement a box WaBit with r-bit keys and where C is K-secure for k = |r. We implemented such 
a box in Sect. 14.11 The protocol is given in Fig. [26l It implements the box for random OT given in 
Fig. [251 

We have that Mi = Ki® biA, so Yi = H{Mi) = H{Ki biA) = Xi^t, - Clearly the protocol leaks 
no information on the bi as there is no communication from R to S. It is therefore sufficient to look 
at the case where R is corrupted. We are not going to give a simulation argument but just show 
that is uniformly random to R except with probability poly(K)2~'^. 

Since Xi^i^h. = H{Ki © (1 © bi)A) and H \s & random oracle, it is clear that Xj.i0fe. is uniformly 
random to R until R queries H on Q = © (1 © 6j)Z\. Since Mj = Ki ® biA we have that 
Q = Ki ® {1 ® bi)A would imply that Mj (B Q = A. So, if we let R query H, say, on Q © Mj each 
time it queries H on some Q, which would not change its asymptotic running time, then we have 
that all Xj i^f,^ are uniformly random to R until it queries H on A. It is not hard to show that the 
probability with which an adversary running in time t = poly(K) can ensure that WaBit ^ does not 
fail and then query H on A is poly(K)2~'*. This follows from the «;-security of C. 
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F Proof of Thm. [5] 



The simulator answers global key queries to the dealer by doing the identical global key queries 
on the ideal functionality LaOT(£) and returning the reply from LaOT(£). This gives a perfect 
simulation of these queries, and we ignore them below. 

For honest sender and receiver correctness of the protocol follows immediately from correctness 
of the aBit box and the EQ box. 

Lemma 13. The protocol in Fig. \15\ securely implements LaOT(^) against corrupted A. 

Proof. We consider the case of a corrupt sender A* running the above protocol against a simulator 
Sim. We show how to simulate one instance. 

1. First Sim receives A*'s input (Mx^jXq), {Mxj^,xi), Kc,Kr and Ab to the dealer. Then Sim 
samples a bit y €r {0,1}, sets = (B yAs and inputs {Mxq,Xo), {Mx^jXi), Kc,Kz and 
Ab to a LaOT box. The box outputs Aa, (Mc,c), {Mz,z), Kx^ and K^^ to the honest B as 
described in the protocol. 

2. A* outputs the message {Xq,Xi). The simulator knows Ab and Kc and can therefore compute 

Xoeii'(Ke) = (^o||Mxol|T^o) 

and 

Xi®H{K,®Ab) = (lEi||M,J|r^J . 

For all j G {0,1} Sim tests if (Mx^jXj) = (Mxj,Xj). If, for some j, this is not the case Sim 
inputs a guess to the LaOT box guessing that c = (1 — j) to the LaOT box. If the box outputs 
fail Sim does the same and aborts the protocol. Otherwise Sim proceeds by sending y to A*. 
Notice that if Sim does not abort but does guess the choice bit c it can perfectly simulate the 
remaining protocol. In the following we therefore assume this is not the case. 

3. Similarly Sim gets (Io,/i) from A* and computes 

/o e H{K,) = Ti' 

and 

h ffi H{K, e Ab) = TH ■ 

4. When Sim receives A*'s input (ro,ri) for the EQ box it first tests if {Tj,T['^^,) = {Tx^,Ti(^Xj) 
for all j S {0, 1}. If, for some j, this is not the case Sim inputs a guess to the LaOT box guessing 
that c = (1 — j). If the box outputs fail, Sim outputs fail and aborts. If not, the simulation 
is over. 

For analysis of the simulation we denote by F the event that for some j € {0, 1} A* computes values 
M*^ G {0,1}'' and x* G {0,1} so that {M*^,x*) ^ {Mx^,Xj) and M*^ = Kx^ Q x*Aa. In other 
words, F is the event that A* computes a MAC on a message bit it was not supposed to know. We 
will now show that, assuming F does not occur, the simulation is perfectly indistinguishable from 
the real protocol. We then show that F only occurs with negligible probability and therefore that 
simulation and the real protocol are indistinguishable. 

From the definition of the LaOT box we have that {Mxj,Xj) = {Mx^,Xj) implies Mx^ = Kx^ © 
xjAa- Given the assumption that F does not occur clearly we have that {Mxj,Xj) ^ {Mx^^Xj) also 
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implies ^ (BxjAa- This means that Sim aborts in step[2]with exactly the same probability 
as the honest receiver would in the real protocol. Also, in the real protocol we have y = z ® r for 
r {0, 1} thus both in the real protocol and the simulation y is distributed uniformly at random 
in the view of A* . 

Next in step |3] of the simulation notice that in the real protocol, if c = j G {0, 1}, an honest B 
would input Tj and T{'^^^ to EQ (sorted in the correct order). The protocol would then continue if 
and only if (Tj,T{'^^,) = (T^^. , Ti^^^.) and abort otherwise. I.e., the real protocol would continue if 
and only if (Tj,r"g^.) = (T^^ , Tiq^^.) and c = j, which is exactly what happens in the simulation. 
Thus we have that given F does not occur, all input to A* during the simulation is distributed 
exactly as in real protocol. In other words the two are perfectly indistinguishable. 

Now assume F does occur, that is for some j € {0, 1} A* computes values M*. and x* as described 
above. In that case A* could compute the global key of the honest receiver as M* © M^.^. = Aa- 
However, since all inputs to A* are independent from A a (during the protocol). A* can only guess 
Aa with negligible probability (during the protocol) and thus F can only occur with negligible 
probability (during the protocol). After the protocol A*, or rather the environment, will receive 
outputs and learn A a, but this does not change the fact that guessing A a during the protocol can 
be done only with negligible probability. □ 

Lemma 14. The protocol in Fig. 1151 securely implements LaOT(^) against corrupted B. 

Proof. We consider the case of a corrupt receiver B* running the above protocol against a simulator 
Sim. The simulation runs as follows. 

1. The simulation starts by Sim getting B*'s input to dealer Z\^, (Mc,c), (Mr,r), Kx^ and Kx^- 
Then Sim simply inputs Aa, {Mc, c), Mz = Mr, Kx^ and Kx^ to the LaOT box. The box outputs 
z to Sim and Ab, {Mxq,xq), {Mxj^,xi), Kc and Kz to the sender as described above. 

2. Like the honest sender Sim samples random keys Tq,Ti €r {0,1}'^. Since Sim knows 
Mc, Kxg, Kxj^, Aa,c and z = Xc it can compute Xc = H{Mc) ® (zIlM^HT^) exactly as the 
honest sender would. It then samples Xi^c £r {0, Ip'^+i and inputs {Xq,Xi) to B*. 

3. The corrupt receiver B* replies by sending some y G {0, 1}. 

4. Sim sets z = r y, computes = H(Mz) ® 7"ie^ ^iid samples /i®^ Gr {0, l}*^. It then inputs 
(/o,/i)toB*. 

5. B* outputs some (Tq,Ti) for the EQ box and Sim continues or aborts as the honest A would in 
the real protocol, depending on whether or not {Tq,Ti) = {Tq,Ti). 

For the analysis we denote by F the event that B* queries the RO on Kc(B{1(Bc)Ab or Kz(B{1(Bz)Ab. 
We first show that assuming F does not occur, the simulation is perfect. We then show that F only 
occurs with negligible probability (during the protocol) and thus the simulation is indistinguishable 
from the real protocol (during the protocol) . We then discuss how to simulate the RO after outputs 
have been delivered. 

First in the view of B* step [1] of the simulation is clearly identical to the real protocol. Thus the 
first deviation from the real protocol appears in step [2] of the simulation where the Xi^c is chosen 
uniformly at random. However, assuming F does not occur, B* has no information on H(Kc © 
(1 © c)Ab) thus in the view of B*, Xigc in the real protocol is a one-time pad encryption of 
(xi0c||Ma;^^^||ra;^^^). In other words, assuming F does not occur, to B*, Xi^c is uniformly random 
in both the simulation and the real protocol, and thus all input to B* up to step [2] is distributed 
identically in the two cases. 
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For steps [3] to [5] notice that in the real protocol an honest sender would set = (ByAs and 
we would have 

{Kr®yAB) ®zAb = Kr ®rAB = Mr . 

Thus we have that the simulation generates I-^ exactly as in the real protocol. An argument similar 
to the one above for step [2] then gives us that the simulation is perfect given the assumption that 
F does not occur. 

We now show that B* can be modified so that if F does occur, then B* can find Ab- However, 
since all input to B* are independent oi Ab (during the protocol), B* only has negligible probability 
of guessing A b and thus we can conclude that F only occurs with negligible probability. 

The modified B* keeps a list Q = {Qi, ■ ■ ■ ,Qq) of all B*'s queries to H. Since B* is efficient 
we have that g is a polynomial in k. To find Ab the modified B* then goes over all Qjt Gj^ Q and 
computes Q/. © = A' and Qk ® Mc = A". Assuming that F does occur there will be some 
Qk' G Q s.t. A' = Ab or A" = Ab- The simulator can therefore use global key queries to find Ab 
if F occurs. 

We then have the issue that after outputs are delivered to the environment, the environment 
learns Ab, and we have to keep simulating H to the environment after outputs are delivered. This 
is handled exactly as in the proof of Tlim. [7] in App. [T] using the programability of the RO. □ 

G Proof of Thm. M 

We want to show that the protocol in Fig. [16] produces secure aOTs, having access to a box that 
produces leaky aOTs. Remember that a leaky aOT or LaOT, is insecure in the sense that a corrupted 
sender can make guesses at any of the choice bits: if the guess is correct, the box does nothing and 
therefore the adversary knows that the guess was correct. If the guess is wrong, the box alerts the 
honest receiver about the cheating attempt and aborts. 

In the protocol the receiver randomly partitions iB leaky OTs in i buckets of size B. First we 
want to argue that the probability that every bucket contains at least one OT where the choice 
bit is unknown to the adversary is overwhelming. Repeating the same calculations as in the proof 
of Thm. [8] it turns out that this happens with probability bigger than 1 — {2i)^^~^\ 

Once we know that (with overwhelming probability) at least one OT in every bucket is secure 
for the receiver (i.e., at least one choice bit is uniformly random in the view of the adversary), 
the security of the protocol follows from the fact that we use a standard OT combiner |HKN"'"05| . 
Turning this into a simulation proof can be easily done in a way similar to the proof of Thm. [8] 
in App. [HI 

H Proof of Thm. [7] 

Proof. The simulator answers global key queries to the dealer by doing the identical global key 
queries on the ideal functionality LaAND(£) and returning the reply from LaAND(£). This gives a 
perfect simulation of these queries, and we ignore them below. 

Notice that for honest sender and receiver correctness of the protocol follows immediately from 
correctness of the aBit box. 

Lemma 15. The protocol in Fig. \19\ securely implements the LaAND box against corrupted A. 
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Proof. We first focus on the simulation of the protocol before outputs are given to the environment. 
Notice that before outputs are given to the environment, the global key is uniformly random to 
the environment, as long as B is honest. 

We consider the case of a corrupt sender A* running the above protocol against a simulator Sim 
for honest B. 

1. First Sim receives A*'s input (M^,x), {My,y), {Mr,r) for the dealer. 
Then Sim receives the bit d €r {0, 1}. 

2. Sim samples a random U €r {0, 1}^'* and sends it to A*. Then Sim reads V, A*'s input to the 
EQ box. UV^ {l-x)H{M^,M^)ex{U®H{M^,MyeM^)) or d®y 7^ xy, Sim outputs abort, 
otherwise, it inputs (x,y,z,Mx,My,Mz = Mr) to the LaAND box. 

The first difference between the real protocol and the simulation is that U = H{Kx, Kz) 
H{Kx AA_,Ky Kz) in the real protocol and U is uniformly random in the simulation. Since 
H is a. random oracle, this is perfectly indistinguishable to the adversary until it queries on both 
{Kx,Kz) and (K^ © AA_,Ky Kz)- Since A a is uniformly random to the environment and the 
adversary during the protocol, this will happen with negligible probability during the protocol. We 
later return to how we simulate after outputs are given to the environment. 

The other difference between the protocol and the simulation is that the simulation always 
aborts if z 7^ xy. Assume now that A* manages, in the real protocol, to make the protocol continue 
with z = xy © 1. If x = 0, this means that A* queried the oracle on (Kx,Kz) = {Mx,Mz Aa), 
and since Sim knows the outputs of corrupted A, which include Mz, and see the input Mz © Aa_ to 
the RO H, if A* queries the oracle on {Kx,Kz) = {Mx,Mz © A^), Sim can compute A^. If a; = 1 
then A* must have queried the oracle on (Kx © A^, Ky © Kz) = {Mx, My © Mz Aa), which again 
would allow Sim to compute Aa- Therefore, in both cases we can use such an A* to compute the 
global key A a and, given that all of A*'s inputs are independent of Aa during the protocol, this 
happens only with negligible probability. 

Consider now the case after the environment is given outputs. These outputs include A a- It 
might seem that there is nothing more to simulate after outputs are given, but recall that H is a, 
random oracle simulated by Sim and that the environment might keep querying H. Our concern is 
that U is uniformly random in the simulation and U = H{Kx,Kz)®H{Kx®Aa-, Ky®Kz) in the real 
protocol. We handle this as follows. Each time the environment queries H on an input of the form 
(Qi) Q2) £ {0, 1}^'', go over all previous queries (Qs, Qi) of this form and let A = Qi ©Qs- Then do 
a global key query to aBit(3£, k) to determine if Z\ = Aa- If Sim learns Aa this way, she proceeds 
as described now. Note that since A is corrupted, Sim knows all outputs to A, i.e., Sim knows all 
MACs M and all bits 6. If 6 = 0, then Sim also knows the key, a.s K = M when 6 = 0. If 6 = 1, Sim 
computes the key as K = M ® Aa- So, when Sim learns Aa, she at the same time learns all keys. 
Then for each U she simply programs the RO such that U = H{Kx, Kz) © H[Kx Aa, Ky © Kz). 
This is possible as Sim learns A a no later than when the environment queries on two pairs of inputs 
of the form {Qi,Q2) = {Kx,Kz) and {Q-i,QA) = {Kx © AA,Ky © Kz). So, when Sim learns Aa, 
either H{Kx, Kz) or H{Kx © AA,Ky ffi Kz) is still undefined. If it is H{Kx,Kz), say, which is 
undefined, Sim simply set H{Kx, Kz) ® H{Kx © Aa, Ky Kz). □ 

Lemma 16. The protocol described in Fig. [721 securely implements the LaAND box against cor- 
rupted B. 

Proof. We consider the case of a corrupt B* running the above protocol against a simulator Sim. 
The simulation runs as follows. 
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1. The simulation starts by Sim getting B*'s input to the dealer Kx, Ky, Kr and Aa- 

2. The simulator samples a random d Gr {0, 1}, sends it to B* and computes = Kj. © (IAa- 

3. Sim receives U from B*, and reads V, B*'s input to the equality box. 

4. If U = H{K^,K^) © H{Kx © AA,Ky © K^) and V = H{Kx,K^), input {Kx,Ky,K^) to the 
box for LaAND and complete the protocol (this is the case where B* is behaving as an honest 
player). Otherwise, if 17 / H{Kx,K-^) © H{Kx © AA,Ky © K-^) and V = H{Kx,Kz) or F = 
U © H{Kx © Aa, Kz ffi Kz), input g = ^ ox g = 1 resp. into the LaAND box as a guess for the 
bit X. If the box output fail, output fail and abort, and otherwise complete the protocol. 

The simulation is perfect: the view of B* consists only of the bit d, that is uniformly distributed 
both in the real game and in the simulation, and in the aborting condition, that is the same in the 
real and in the simulated game. □ 



I Proof of Thm. [8] 

Proof. The simulator answers global key queries to LaAND (i?^) by doing the identical global key 
queries on the ideal functionality aAND(£) and returning the reply. This gives a perfect simulation 
of these queries, and we ignore them below. 

It is easy to check that the protocol is correct and secure if both parties are honest or if A is 
corrupted. 

What remains is to show that, even if B is corrupted and tries to guess some x's from the LaAND 
box, the overall protocol is secure. 

We argue this in two steps. We first argue that the probability that B learns the x-bit for all 
triples in the same bucket is negligible. We then argue that when all buckets contain at least one 
triple for which x is unknown to B, then the protocol can be simulated given LaAND (B^). 

Call each of the triples a hall and call a ball leaky if B learned the x bit of the ball in the call 
to LaAND Let 7 denote the number of leaky balls. 

For B of the leaky balls to end up in the same bucket, there must be a subset S of balls with 
\S\ = B consisting of only leaky balls and a bucket i such that all the balls in S end up in i. 

We first fix S and i and compute the probability that all balls in S end up in i. The probability 
that the first ball ends up in i is The probability that the second balls ends up in i given that 
the first ball is in i is , and so on. We get a probability of 

B B-1 1 _ fB£\ 

m ' B£-l"' Bi- B + 1 ~ \B ) 

that S ends up in i. 

There are subsets S of size B consisting of only leaky balls and there are i buckets, so by a 
union bound the probability that any bucket is filled by leaky balls is upper bounded by 




This is assuming that there are exactly 7 leaky balls. Note then that the probability of the protocol 
not aborting when there are 7 leaky balls is 2""^. Namely, for each bit x that B tries to guess, he 
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is caught with probabiHty ^. So, the probabihty that B undetected can introduce 7 leaky balls and 
have them end up in the same bucket is upper bounded by 



B \B 



-1 



It is easy to see that 



a{n + l,l,B) _ 7 + 1 
a(7,A5) "2(7 + 1-5)- 



so 



So, q(7 + 1,£, B)/q;(7,£,5) > 1 iff 7 < 25-1, hence 0(7, £,5) is maximized in 7 at 7 = 25-1. 
If we let a'(5, t) = a{2B — 1,£,B) it follows that the success probability of the adversary is at most 

a'(B i) - .-2B^i^ i^B-mBi-B)l 

Writing out the product ^'^^B-iy^Be)f^' fairly easy to see that for 2 < 5 < £ we have that 

{2B - iy.{Be - B)\ {2B)^ 
(5-1)! (5^)! ^ "(5ZP"' 

a'{B,i)<2-'^^H^^ = {2ir^. 

We now prove that assuming each bucket has one non-leaky triple the protocol is secure even 
for a corrupted B*. 

We look only at the case of two triples, [x^]a, [y^\hi [-2^]a and [x^]a, [-2^]a! being combined 
into [x]a, [y]A, [^]a- It is easy to see why this is sufficient: Consider the iterative way we combine 
the 5 triples of a bucket. At each step wc combine two triples where one may be the result of 
previous combinations. Thus if a combination of two triples, involving a non-leaky triple, results in 
a non-leaky triple, the subsequent combinations involving that result will all result in a non-leaky 
triple. 

In the real world a corrupted B* will input keys K^i,Kyi,K^i and K^2,Ky2,K^2 and Z\yi, 
and possibly some guesses at the x-bits to the LaAND box. Then B* will see d = (B y"^ and 
Md = {Kyi © Ky2) © (IAa and A will output x = & x'^ , y = y^ , z = ® ® dx"^ and 
Mx = {K^i © K^2) © xAa, My = Kyi © yAA, = {K^i © K^2 © dK^2) © zAa to the environment. 

Consider then a simulator Sim running against B* and using an aAND box. In the first step 
Sim gets all B*'s keys like in the real world. If B* submits a guess {i,gi) Sim simply outputs 
fail and terminates with probability ^. To simulate revealing d, Sim samples d Gr {0,1}, sets 
Md = Kyi © Ky2 © dAA and sends d and to B*. Sim then forms the keys K^ = K^i © K^2, 
Ky = Kyi and K^ = K^i © K^2 © dK^2 and inputs them to the aAND box on behalf of B*. Finally 
the aAND box will output random x, y and z = xy and = K^ © xAa, My = Ky © yAA, 
M^ = K^® zAa. 

We have already argued that the probability of B* guessing one of the x-bits is exactly ^, so Sim 
terminates the protocol with the exact same probability as the LaAND box in the real world. Notice 
then that, given the assumption that B* at most guesses one of the x-bits, all bits d, x and y are 



41 



uniformly random to the environment both in the real world and in the simulation. Thus because 
Sim can form the keys K^, Ky and Kz to the aAND box exactly as they would be in the real world 
the simulation will be perfect. 

□ 

J Full Overview Diagram 



aOT aAND 



LaOT LaAND 




Sect. [3] 



Sect. and E] 



Sect.g] 



OT EQ 
Fig. 27. Full paper outline 



42 



